From j...@manico.net on April 06, 2014 18:39:56
The ESAPI for Java implementation of SecureRandom does not provide a random sequence of numbers. Because ESAPI uses a singleton to hold one instance of SecureRandom, the resulting random numbers are a predictable sequence. This also impacts the CSRF protection mechanism which depends on good random number generation.
To fix this, just use a new instance of SecureRandom each time instead of the ESAPI random number or CSRF calls.
(Thanks for David Rook for reporting this in Feb 2012)
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=323