Skip to content

Add Weak Random testcases#18

Open
davewichers wants to merge 1 commit intomainfrom
addTrustBoundTestcase
Open

Add Weak Random testcases#18
davewichers wants to merge 1 commit intomainfrom
addTrustBoundTestcase

Conversation

@davewichers
Copy link
Member

@davewichers davewichers commented Feb 5, 2026

Per title

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 5, 2026
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);

Check failure

Code scanning / CodeQL

Insecure randomness High test

Potential Insecure randomness due to a
Insecure randomness source.
Loading
.

Copilot Autofix

AI about 18 hours ago

To fix the problem, replace the use of java.util.Random with a cryptographically secure RNG such as java.security.SecureRandom when generating the bytes for rememberMeKey. This preserves existing functionality (random remember‑me tokens) while making them unpredictable to an attacker.

Concretely, within doPost in Benchmark00898.java, change the line that currently creates a new java.util.Random and calls nextBytes so that it uses a java.security.SecureRandom instance instead. Since this class doesn’t currently import SecureRandom, add an import for java.security.SecureRandom at the top of the file. No other logic needs to change: nextBytes(byte[]) exists on SecureRandom with the same signature, and the subsequent ESAPI Base64 encoding and cookie handling remain unchanged.

Specifically:

  • Add import java.security.SecureRandom; near the other imports.
  • Replace new java.util.Random().nextBytes(bytes); with new SecureRandom().nextBytes(bytes);.

No new helper methods or fields are required; using a local SecureRandom instance is sufficient for this context.

Suggested changeset 1
src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00898.java
@@ -18,6 +18,7 @@
 package org.owasp.benchmark.testcode;
 
 import java.io.IOException;
+import java.security.SecureRandom;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
@@ -54,7 +55,7 @@
         }
 
         byte[] bytes = new byte[10];
-        new java.util.Random().nextBytes(bytes);
+        new SecureRandom().nextBytes(bytes);
         String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true);
 
         String user = "Byron";
EOF
@@ -18,6 +18,7 @@
package org.owasp.benchmark.testcode;

import java.io.IOException;
import java.security.SecureRandom;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
@@ -54,7 +55,7 @@
}

byte[] bytes = new byte[10];
new java.util.Random().nextBytes(bytes);
new SecureRandom().nextBytes(bytes);
String rememberMeKey = org.owasp.esapi.ESAPI.encoder().encodeForBase64(bytes, true);

String user = "Byron";
Copilot is powered by AI and may make mistakes. Always verify output.
src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);

Check failure

Code scanning / CodeQL

Insecure randomness High test

Potential Insecure randomness due to a
Insecure randomness source.
Loading
.

Copilot Autofix

AI about 18 hours ago

In general, the fix is to replace uses of java.util.Random for generating security-sensitive values with java.security.SecureRandom, which is designed to be cryptographically strong and resistant to prediction. Any token or cookie that enables access or session continuation must be generated using a CSPRNG.

For this specific file, we should:

  • Replace new java.util.Random().nextDouble() with a SecureRandom-based token.
  • Keep functionality similar (a random-looking string) while changing only the randomness source.
  • Because we shouldn’t alter behavior more than necessary, we can keep using a double-derived string if we wish, but it’s cleaner to generate a random byte array and encode it as hex or base64. However, the current code expects a string of digits; to minimize functional change we can still derive from nextDouble() but produced by SecureRandom. The simplest minimal change is: create a SecureRandom instance, call nextDouble(), and use it as before.

Concretely:

  • Add import java.security.SecureRandom; near the other imports in Benchmark00899.java.
  • Change line 68 from double value = new java.util.Random().nextDouble(); to use SecureRandom, e.g.:
    • java.security.SecureRandom secureRandom = new java.security.SecureRandom();
    • double value = secureRandom.nextDouble();
      This keeps all subsequent uses (Double.toString(value)...) unchanged, while ensuring the randomness source is cryptographically secure.
Suggested changeset 1
src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00899.java
@@ -18,6 +18,7 @@
 package org.owasp.benchmark.testcode;
 
 import java.io.IOException;
+import java.security.SecureRandom;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
@@ -65,7 +66,8 @@
                 break;
         }
 
-        double value = new java.util.Random().nextDouble();
+        SecureRandom secureRandom = new SecureRandom();
+        double value = secureRandom.nextDouble();
         String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.
 
         String user = "Donna";
EOF
@@ -18,6 +18,7 @@
package org.owasp.benchmark.testcode;

import java.io.IOException;
import java.security.SecureRandom;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
@@ -65,7 +66,8 @@
break;
}

double value = new java.util.Random().nextDouble();
SecureRandom secureRandom = new SecureRandom();
double value = secureRandom.nextDouble();
String rememberMeKey = Double.toString(value).substring(2); // Trim off the 0. at the front.

String user = "Donna";
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davewichers