# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

**Stack:** Python

- Prevalence: उच्च बार-बार शोषित
- Impact: उच्च 2 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 4 फिक्स उदाहरण

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Weak PRNG के लिए रोकथाम रणनीतियाँ।

### Python

Use the secrets module for tokens, passwords, and all security-sensitive randomness

Use the secrets module instead of random for security-sensitive operations

## Warning Signs

- [MEDIUM] use of insecure random number generators (random module) for
security-critical operations
- [MEDIUM] use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic 

## Consequences

- सुरक्षा तंत्र को बायपास करना
- विशेषाधिकार प्राप्त करना

## Mitigations

- क्रिप्टोग्राफ़िक रूप से सुरक्षित यादृच्छिक संख्या जनरेटर (CSPRNG) का उपयोग करें
- JavaScript में crypto.getRandomValues() या crypto.randomUUID() का उपयोग करें
- Python में random के बजाय secrets मॉड्यूल का उपयोग करें

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for
security-critical operations. Use secrets module or os.urandom() for
cryptographic randomness (tokens, passwords, keys, nonces).
  - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations.

```python
import secrets

# Generate secure token
token = secrets.token_urlsafe(32)

# Generate secure hex token
reset_token = secrets.token_hex(32)

# Generate secure bytes for keys/salt
key = secrets.token_bytes(32)
```

Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness
- **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic keys. The random module is not
cryptographically secure. Use the secrets module instead.
  - Remediation: Use the secrets module instead of random for security-sensitive operations.

```python
import secrets

token = secrets.token_hex(32)
api_key = secrets.token_urlsafe(32)

# For passwords:
import string
alphabet = string.ascii_letters + string.digits
password = ''.join(secrets.choice(alphabet) for _ in range(12))
```

Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random