27 lines
998 B
Plaintext
27 lines
998 B
Plaintext
=== relates to: S3329
|
|
|
|
=== relates to: S4347
|
|
|
|
=== on 16 Jan 2015, 08:54:49 Sébastien Gioria wrote:
|
|
This rule should be tag OWASP-Top10. It's part of OWASP Top10 A6-Sensitive_Data_Exposure.
|
|
|
|
|
|
It could bee tag also :
|
|
|
|
|
|
* CWE Entry 310 on Cryptographic Issues (\http://cwe.mitre.org/data/definitions/310.html)
|
|
* CWE Entry 326 on Weak Encryption (\http://cwe.mitre.org/data/definitions/326.html)
|
|
|
|
=== on 19 Jan 2015, 09:04:43 Ann Campbell wrote:
|
|
Thanks [~sebastien.gioria]
|
|
|
|
=== on 27 Jul 2018, 20:50:24 Ann Campbell wrote:
|
|
\[~nicolas.harraudeau] where do you expect the issue to be raised? On the ``++rand()++`` call or where the value is used?
|
|
|
|
=== on 30 Jul 2018, 10:05:05 Nicolas Harraudeau wrote:
|
|
\[~ann.campbell.2] On the rand() call. This is a hotspot because we are not yet able to detect if the context is dangerous or not.
|
|
|
|
|
|
We could later detect that an encryption function or a hash is using the generated value, but it would then be classified as a Vulnerability instead of a Hotspot.
|
|
|