# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

**Stack:** Go

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 2 règles de sévérité élevée
- Prevention: Documentée 4 exemples de correctifs

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.

## Prevention

Stratégies de prévention pour Weak PRNG basées sur 1 règles de détection Shoulder.

### Go

Use crypto/rand instead of math/rand for security-sensitive values

## Warning Signs

- [HIGH] math/rand used for security-sensitive random values

## Consequences

- Contourner le mécanisme de protection
- Obtenir des privilèges

## Mitigations

- Utilisez des générateurs de nombres aléatoires cryptographiquement sécurisés (CSPRNG)
- En JavaScript, utilisez crypto.getRandomValues() ou crypto.randomUUID()
- En Python, utilisez le module secrets plutôt que random

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Weak Random Number Generation for Security** [HIGH]: Uses math/rand for security tokens, keys, or session IDs instead of crypto/rand.
  - Remediation: Use crypto/rand for all security-sensitive random values.

```go
import "crypto/rand"

token := make([]byte, 32)
if _, err := rand.Read(token); err != nil {
    return err
}
```

Learn more: https://shoulder.dev/learn/go/cwe-338/weak-random