# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

**Stack:** JavaScript

- Prevalence: 높음 자주 악용됨
- Impact: 높음 2개의 높은 심각도 규칙
- Prevention: 문서화됨 4개의 수정 예시

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Weak PRNG 예방 전략.

### Key Practices

- Use of Math

### JavaScript

Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values

## Warning Signs

- [HIGH] Math.random() used for security-sensitive operation: ...
- [HIGH] use of Math

## Consequences

- 보호 메커니즘 우회
- 권한 획득

## Mitigations

- 암호학적으로 안전한 난수 생성기(CSPRNG)를 사용하세요
- JavaScript에서는 crypto.getRandomValues() 또는 crypto.randomUUID()를 사용하세요
- Python에서는 random 대신 secrets 모듈을 사용하세요

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating
tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically
secure and can be predicted by attackers.
  - Remediation: Replace Math.random() with cryptographically secure alternatives.

### Typescript (1 rules)

- **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating
tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically
secure and can be predicted by attackers.
  - Remediation: Replace Math.random() with cryptographically secure alternatives.