Use of cryptographically weak pseudo-random number generator (PRNG)
Description
Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `randomBytes` method of the `crypto` module be used instead of `pseudoRandomBytes`.
Examples
Insecure Code
javascript
crypto.pseudoRandomBytes(256);Secure Code
javascript
const randomBytes = crypto.randomBytes(256);Remediation
Replace `crypto.pseudoRandomBytes` with `crypto.randomBytes`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0197 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | crypto, random number generator |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |