Use of cryptographically weak pseudo-random number generator (PRNG)
Description
Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `secrets` module be used instead.
Examples
Insecure Code
python
import random
random_bytes = random.random()Secure Code
python
import secrets
random_bytes = secrets.token_bytes(64)Remediation
Use the `secrets` module instead of the `random` module for generating cryptographically secure random numbers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0158 |
| Category | Crypto |
| Severity | LOW |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | random, secrets, crypto |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |