# Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338) The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. **Stack:** Python - Prevalence: 高 频繁被利用 - Impact: 高 2 条严重级别为高的规则 - Prevention: 已记录 4 个修复示例 **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism. ## Prevention 基于 2 条 Shoulder 检测规则的 Weak PRNG 预防策略。 ### Python Use the secrets module for tokens, passwords, and all security-sensitive randomness Use the secrets module instead of random for security-sensitive operations ## Warning Signs - [MEDIUM] use of insecure random number generators (random module) for security-critical operations - [MEDIUM] use of the random module for security-sensitive operations like tokens, passwords, or cryptographic ## Consequences - 绕过保护机制 - 获取权限 ## Mitigations - 使用密码学安全的随机数生成器 (CSPRNG) - 在 JavaScript 中使用 crypto.getRandomValues() 或 crypto.randomUUID() - 在 Python 中使用 secrets 模块,而不是 random ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for security-critical operations. Use secrets module or os.urandom() for cryptographic randomness (tokens, passwords, keys, nonces). - Remediation: Use the secrets module for tokens, passwords, and security-sensitive operations. ```python import secrets # Generate secure token token = secrets.token_urlsafe(32) # Generate secure hex token reset_token = secrets.token_hex(32) # Generate secure bytes for keys/salt key = secrets.token_bytes(32) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/insecure-randomness - **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like tokens, passwords, or cryptographic keys. The random module is not cryptographically secure. Use the secrets module instead. - Remediation: Use the secrets module instead of random for security-sensitive operations. ```python import secrets token = secrets.token_hex(32) api_key = secrets.token_urlsafe(32) # For passwords: import string alphabet = string.ascii_letters + string.digits password = ''.join(secrets.choice(alphabet) for _ in range(12)) ``` Learn more: https://shoulder.dev/learn/python/cwe-338/weak-random