Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description
Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations.
Examples
Insecure Code
javascript
const crypto = require('crypto');
const insecureBytes = crypto.pseudoRandomBytes(256);
console.log(`Insecure random bytes: ${insecureBytes.toString('hex')}`);Secure Code
javascript
const crypto = require('crypto');
const secureBytes = crypto.randomBytes(256);
console.log(`Secure random bytes: ${secureBytes.toString('hex')}`);Remediation
Replace the use of these cryptographically weak random number generators with `crypto.randomBytes()`, a method provided by Node.js's `crypto` module that generates cryptographically secure random numbers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0352 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | random number generator, crypto |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |