# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** JavaScript - Prevalence: Alta Frequentemente explorada - Impact: Alto 2 regras de severidade alta - Prevention: Documentada 4 exemplos de correção **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention Estratégias de prevenção para Weak PRNG baseadas em 1 regras de detecção do Shoulder. ### Key Practices - Use of Math ### JavaScript Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values ## Warning Signs - [HIGH] Math.random() used for security-sensitive operation: ... - [HIGH] use of Math ## Consequences - Burlar mecanismo de proteção - Obter privilégios ## Mitigations - Use geradores de números aleatórios criptograficamente seguros (CSPRNGs) - Em JavaScript, use crypto.getRandomValues() ou crypto.randomUUID() - Em Python, use o módulo secrets em vez de random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives. ### Typescript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives.