# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

**Stack:** Python

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Hoch 2 Regeln mit hohem Schweregrad
- Prevention: Dokumentiert 4 Fix-Beispiele

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.

## Prevention

Präventionsstrategien für Weak PRNG basierend auf 2 Shoulder-Erkennungsregeln.

### Python

Use the secrets module for tokens, passwords, and all security-sensitive randomness

Use the secrets module instead of random for security-sensitive operations

## Warning Signs

- [MEDIUM] use of insecure random number generators (random module) for
security-critical operations
- [MEDIUM] use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic 

## Consequences

- Schutzmechanismus umgehen
- Privilegien erlangen

## Mitigations

- Kryptografisch sichere Zufallszahlengeneratoren (CSPRNG) verwenden
- In JavaScript crypto.getRandomValues() oder crypto.randomUUID() verwenden
- In Python das Modul secrets statt random verwenden

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for
security-critical operations. Use secrets module or os.urandom() for
cryptographic randomness (tokens, passwords, keys, nonces).
  - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations.

```python
import secrets

# Generate secure token
token = secrets.token_urlsafe(32)

# Generate secure hex token
reset_token = secrets.token_hex(32)

# Generate secure bytes for keys/salt
key = secrets.token_bytes(32)
```

Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness
- **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic keys. The random module is not
cryptographically secure. Use the secrets module instead.
  - Remediation: Use the secrets module instead of random for security-sensitive operations.

```python
import secrets

token = secrets.token_hex(32)
api_key = secrets.token_urlsafe(32)

# For passwords:
import string
alphabet = string.ascii_letters + string.digits
password = ''.join(secrets.choice(alphabet) for _ in range(12))
```

Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random