From 1ba0d42d145bb24969990d222bcf2637b140657b Mon Sep 17 00:00:00 2001 From: "pixee-demo[bot]" <194135640+pixee-demo[bot]@users.noreply.github.com> Date: Tue, 13 May 2025 00:21:34 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/I?= =?UTF-8?q?nsecureSecret"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../webgoat/lessons/cryptography/HashingAssignment.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java index b83f931a80..8e2bf56284 100644 --- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java @@ -24,6 +24,7 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.xml.bind.DatatypeConverter; @@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException String md5Hash = (String) request.getSession().getAttribute("md5Hash"); if (md5Hash == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; MessageDigest md = MessageDigest.getInstance("MD5"); md.update(secret.getBytes()); @@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept String sha256 = (String) request.getSession().getAttribute("sha256"); if (sha256 == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; sha256 = getHash(secret, "SHA-256"); request.getSession().setAttribute("sha256Hash", sha256); request.getSession().setAttribute("sha256Secret", secret);