Skip to content

Commit ce20c4a

Browse files
egregius313subatoi
egregius313
and
subatoi
committed
Docs review suggestions
Co-authored-by: Ben Ahmady <[email protected]>
1 parent 7362158 commit ce20c4a

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,21 +4,21 @@
44
<qhelp>
55
<overview>
66
<p>
7-
Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value,
8-
such as a password, makes it easier for an attacker to predict the value.
7+
If you use a cryptographically weak pseudo-random number generator to generate security-sensitive values,
8+
such as passwords, attackers can more easily predict those values.
99
</p>
1010
<p>
1111
Pseudo-random number generators generate a sequence of numbers that only approximates the properties
1212
of random numbers. The sequence is not truly random because it is completely determined by a
13-
relatively small set of initial values, the seed. If the random number generator is
13+
relatively small set of initial values (the seed). If the random number generator is
1414
cryptographically weak, then this sequence may be easily predictable through outside observations.
1515
</p>
1616

1717
</overview>
1818
<recommendation>
1919
<p>
2020
Use a cryptographically secure pseudo-random number generator if the output is to be used in a
21-
security-sensitive context. As a rule of thumb, a value should be considered "security-sensitive"
21+
security-sensitive context. As a general rule, a value should be considered "security-sensitive"
2222
if predicting it would allow the attacker to perform an action that they would otherwise be unable
2323
to perform. For example, if an attacker could predict the random password generated for a new user,
2424
they would be able to log in as that new user.
@@ -36,7 +36,7 @@
3636
</p>
3737

3838
<p>
39-
In the first case, we generate a fresh cookie by appending a random integer to the end of a static
39+
In the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static
4040
string. The random number generator used (<code>Random</code>) is not cryptographically secure,
4141
so it may be possible for an attacker to predict the generated cookie.
4242
</p>

0 commit comments

Comments
 (0)