# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** Python - Prevalence: Élevée Fréquemment exploitée - Impact: Élevé 2 règles de sévérité élevée - Prevention: Documentée 4 exemples de correctifs **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention Stratégies de prévention pour Weak PRNG basées sur 2 règles de détection Shoulder. ### Python Use the secrets module for tokens, passwords, and all security-sensitive randomness Use the secrets module instead of random for security-sensitive operations ## Warning Signs - [MEDIUM] use of insecure random number generators (random module) for security-critical operations - [MEDIUM] use of the random module for security-sensitive operations like tokens, passwords, or cryptographic ## Consequences - Contourner le mécanisme de protection - Obtenir des privilèges ## Mitigations - Utilisez des générateurs de nombres aléatoires cryptographiquement sécurisés (CSPRNG) - En JavaScript, utilisez crypto.getRandomValues() ou crypto.randomUUID() - En Python, utilisez le module secrets plutôt que random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for security-critical operations. Use secrets module or os.urandom() for cryptographic randomness (tokens, passwords, keys, nonces). - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations. ```python import secrets # Generate secure token token = secrets.token_urlsafe(32) # Generate secure hex token reset_token = secrets.token_hex(32) # Generate secure bytes for keys/salt key = secrets.token_bytes(32) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness - **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like tokens, passwords, or cryptographic keys. The random module is not cryptographically secure. Use the secrets module instead. - Remediation: Use the secrets module instead of random for security-sensitive operations. ```python import secrets token = secrets.token_hex(32) api_key = secrets.token_urlsafe(32) # For passwords: import string alphabet = string.ascii_letters + string.digits password = ''.join(secrets.choice(alphabet) for _ in range(12)) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random