# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** JavaScript - Prevalence: Wysoka Często wykorzystywana - Impact: Wysoki 2 reguł o wysokim poziomie - Prevention: Udokumentowane 4 przykładów poprawek **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention Strategie zapobiegania dla Weak PRNG oparte na 1 regułach detekcji Shoulder. ### Key Practices - Use of Math ### JavaScript Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values ## Warning Signs - [HIGH] Math.random() used for security-sensitive operation: ... - [HIGH] use of Math ## Consequences - Obejście mechanizmu ochrony - Uzyskanie uprawnień ## Mitigations - Stosuj kryptograficznie bezpieczne generatory liczb losowych (CSPRNG) - W JavaScript używaj crypto.getRandomValues() lub crypto.randomUUID() - W Pythonie korzystaj z modułu secrets zamiast random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives. ### Typescript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives.