# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** Python - Prevalence: 高 頻繁に悪用される - Impact: ハイ 2 件の重大度ハイのルール - Prevention: 文書化済み 4 件の修正例 **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention 2 件の Shoulder 検出ルールに基づく Weak PRNG の予防策。 ### Python Use the secrets module for tokens, passwords, and all security-sensitive randomness Use the secrets module instead of random for security-sensitive operations ## Warning Signs - [MEDIUM] use of insecure random number generators (random module) for security-critical operations - [MEDIUM] use of the random module for security-sensitive operations like tokens, passwords, or cryptographic ## Consequences - 保護メカニズムの回避 - 権限の取得 ## Mitigations - 暗号学的に安全な乱数生成器 (CSPRNG) を使用する - JavaScript では crypto.getRandomValues() または crypto.randomUUID() を使用する - Python では random ではなく secrets モジュールを使用する ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for security-critical operations. Use secrets module or os.urandom() for cryptographic randomness (tokens, passwords, keys, nonces). - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations. ```python import secrets # Generate secure token token = secrets.token_urlsafe(32) # Generate secure hex token reset_token = secrets.token_hex(32) # Generate secure bytes for keys/salt key = secrets.token_bytes(32) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness - **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like tokens, passwords, or cryptographic keys. The random module is not cryptographically secure. Use the secrets module instead. - Remediation: Use the secrets module instead of random for security-sensitive operations. ```python import secrets token = secrets.token_hex(32) api_key = secrets.token_urlsafe(32) # For passwords: import string alphabet = string.ascii_letters + string.digits password = ''.join(secrets.choice(alphabet) for _ in range(12)) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random