Our veracode scan flagged usage of Random in Draft_6455.java as a vulnerability.
https://cwe.mitre.org/data/definitions/331.html
According to Websocket Protocol:
For example, each masking could be drawn from a cryptographically strong random number generator. If the same key is used or a decipherable pattern exists for how the next key is chosen, the attacker can send a message that, when masked, could appear to be an HTTP request (by taking the message the attacker wishes to see on the wire and masking it with the next masking key to be used, the masking key will effectively unmask the data when the client applies it).
According to this specification the library should be using SecureRandom to prevent brute force attacks.
Environment(please complete the following information):
- Version used: 1.5.1
- Java version: 1.8
- Operating System and version: Android
- Endpoint Name and version:
- Link to your project:
Additional context
Add any other context about the problem here.
Our veracode scan flagged usage of
Randomin Draft_6455.java as a vulnerability.https://cwe.mitre.org/data/definitions/331.html
According to Websocket Protocol:
For example, each masking could be drawn from a cryptographically strong random number generator. If the same key is used or a decipherable pattern exists for how the next key is chosen, the attacker can send a message that, when masked, could appear to be an HTTP request (by taking the message the attacker wishes to see on the wire and masking it with the next masking key to be used, the masking key will effectively unmask the data when the client applies it).
According to this specification the library should be using SecureRandom to prevent brute force attacks.
Environment(please complete the following information):
Additional context
Add any other context about the problem here.