StringUtils.union broken which has minor impact on CSRF Protection and random file name generation

Description

From j...@manico.net on April 06, 2014 18:39:56

The ESAPI for Java implementation of SecureRandom does not provide a random sequence of numbers. Because ESAPI uses a singleton to hold one instance of SecureRandom, the resulting random numbers are a predictable sequence. This also impacts the CSRF protection mechanism which depends on good random number generation.

To fix this, just use a new instance of SecureRandom each time instead of the ESAPI random number or CSRF calls.

(Thanks for David Rook for reporting this in Feb 2012)

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=323

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure