# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** JavaScript - Prevalence: उच्च बार-बार शोषित - Impact: उच्च 2 उच्च गंभीरता वाले नियम - Prevention: प्रलेखित 4 फिक्स उदाहरण **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention 1 Shoulder डिटेक्शन नियमों पर आधारित Weak PRNG के लिए रोकथाम रणनीतियाँ। ### Key Practices - Use of Math ### JavaScript Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values ## Warning Signs - [HIGH] Math.random() used for security-sensitive operation: ... - [HIGH] use of Math ## Consequences - सुरक्षा तंत्र को बायपास करना - विशेषाधिकार प्राप्त करना ## Mitigations - क्रिप्टोग्राफ़िक रूप से सुरक्षित यादृच्छिक संख्या जनरेटर (CSPRNG) का उपयोग करें - JavaScript में crypto.getRandomValues() या crypto.randomUUID() का उपयोग करें - Python में random के बजाय secrets मॉड्यूल का उपयोग करें ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives. ### Typescript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives.