# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** JavaScript - Prevalence: Alta Frecuentemente explotada - Impact: Alto 2 reglas de severidad alta - Prevention: Documentada 4 ejemplos de corrección **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention Estrategias de prevención para Weak PRNG basadas en 1 reglas de detección de Shoulder. ### Key Practices - Use of Math ### JavaScript Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values ## Warning Signs - [HIGH] Math.random() used for security-sensitive operation: ... - [HIGH] use of Math ## Consequences - Eludir mecanismo de protección - Obtener privilegios ## Mitigations - Usa generadores de números aleatorios criptográficamente seguros (CSPRNG) - En JavaScript, usa crypto.getRandomValues() o crypto.randomUUID() - En Python, usa el módulo secrets en lugar de random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives. ### Typescript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives.