# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

**Stack:** Python

- Prevalence: 높음 자주 악용됨
- Impact: 높음 2개의 높은 심각도 규칙
- Prevention: 문서화됨 4개의 수정 예시

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.

## Prevention

2개의 Shoulder 탐지 규칙을 기반으로 한 Weak PRNG 예방 전략.

### Python

Use the secrets module for tokens, passwords, and all security-sensitive randomness

Use the secrets module instead of random for security-sensitive operations

## Warning Signs

- [MEDIUM] use of insecure random number generators (random module) for
security-critical operations
- [MEDIUM] use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic 

## Consequences

- 보호 메커니즘 우회
- 권한 획득

## Mitigations

- 암호학적으로 안전한 난수 생성기(CSPRNG)를 사용하세요
- JavaScript에서는 crypto.getRandomValues() 또는 crypto.randomUUID()를 사용하세요
- Python에서는 random 대신 secrets 모듈을 사용하세요

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for
security-critical operations. Use secrets module or os.urandom() for
cryptographic randomness (tokens, passwords, keys, nonces).
  - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations.

```python
import secrets

# Generate secure token
token = secrets.token_urlsafe(32)

# Generate secure hex token
reset_token = secrets.token_hex(32)

# Generate secure bytes for keys/salt
key = secrets.token_bytes(32)
```

Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness
- **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic keys. The random module is not
cryptographically secure. Use the secrets module instead.
  - Remediation: Use the secrets module instead of random for security-sensitive operations.

```python
import secrets

token = secrets.token_hex(32)
api_key = secrets.token_urlsafe(32)

# For passwords:
import string
alphabet = string.ascii_letters + string.digits
password = ''.join(secrets.choice(alphabet) for _ in range(12))
```

Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random