# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** JavaScript - Prevalence: High Frequently exploited - Impact: High 2 high-severity rules - Prevention: Documented 4 fix examples **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention Prevention strategies for Weak PRNG based on 1 Shoulder detection rules. ### Key Practices - Use of Math ### JavaScript Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values ## Warning Signs - [HIGH] Math.random() used for security-sensitive operation: ... - [HIGH] use of Math ## Consequences - Bypass Protection Mechanism - Gain Privileges ## Mitigations - Use cryptographically secure random number generators (CSPRNGs) - In JavaScript, use crypto.getRandomValues() or crypto.randomUUID() - In Python, use secrets module instead of random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives. ### Typescript (1 rules) - **Weak Random Number Generation in Security Context** [HIGH]: Detects use of Math.random() for security-sensitive operations like generating tokens, session IDs, or cryptographic keys. Math.random() is not cryptographically secure and can be predicted by attackers. - Remediation: Replace Math.random() with cryptographically secure alternatives.