Insecure Randomness

Learn how to prevent insecure randomness vulnerabilities with real code examples and best practices. Protect your applications from predictable random number generation and security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Insecure Randomness and How Does it Work?

Insecure Randomness is a security vulnerability that occurs when applications use weak random number generators for security-critical operations. It happens when developers use predictable random number generation methods instead of cryptographically secure alternatives.

Using weak random number generators can lead to various security issues:

Predictable session IDs or tokens
Weak cryptographic keys
Guessable password reset codes
Vulnerable temporary file names
Exploitable game mechanics or gambling systems

This guide covers Insecure Randomness vulnerabilities, examples, prevention methods, and how to implement secure random number generation using real-world techniques.

One Simple Insecure Randomness Example

Consider this classic example of generating a session token:

String sessionToken = String.valueOf(Math.random() * 1000000);

An attacker could predict the next token because:

Math.random() uses a weak pseudo-random number generator

The resulting tokens would be:

Using Math.random(): Predictable sequence based on seed

This allows attackers to potentially guess valid session tokens and hijack user sessions.

Insecure Randomness Prevention Methods: How to Fix Your Code

The most efficient way to fix an Insecure Randomness issue in your code is using cryptographically secure random number generators.

Secure random number generators use entropy from the system to generate unpredictable values, making them suitable for security-critical operations. They ensure that generated values cannot be predicted even if an attacker knows previous values.

Code Samples

Vulnerable Code

Random random = new Random();
String token = String.valueOf();

Fixed Code

SecureRandom secureRandom = new SecureRandom();
String token = String.valueOf(secureRandom.nextInt(1000000));

Fix Explanation

The vulnerable code uses java.util.Random which is not cryptographically secure.The fix uses SecureRandom which provides cryptographically strong random numbers.SecureRandom uses the operating system's entropy pool for better randomness.The generated values are suitable for security-sensitive operations.

Vulnerable Code

const token = Math.floor(Math.random() * 1000000);
const sessionId = token.toString();

Fixed Code

const crypto = require('crypto');
const token = crypto.randomInt(1000000);
const sessionId = token.toString();

Fix Explanation

The vulnerable code uses Math.random() which is not cryptographically secure.The fix uses the crypto.randomInt() method from Node's crypto module.The crypto module provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.

Vulnerable Code

import random
token = random.randint(0, 1000000)
session_id = str(token)

Fixed Code

import secrets
token = secrets.randbelow(1000000)
session_id = str(token)

Fix Explanation

The vulnerable code uses random.randint which is not cryptographically secure.The fix uses the secrets module which is designed for generating cryptographic secrets.The secrets module provides methods specifically for security-sensitive operations.The generated values are suitable for tokens, keys, and other secure values.

Vulnerable Code

Random random = new Random();
string token = random.Next(1000000).ToString();

Fixed Code

using System.Security.Cryptography;
string token = RandomNumberGenerator.GetInt32(1000000).ToString();

Fix Explanation

The vulnerable code uses System.Random which is not cryptographically secure.The fix uses RandomNumberGenerator from System.Security.Cryptography.RandomNumberGenerator provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.

Vulnerable Code

$token = rand(0, 1000000);
$sessionId = strval($token);

Fixed Code

$token = random_int(0, 1000000);
$sessionId = strval($token);

Fix Explanation

The vulnerable code uses rand() which is not cryptographically secure.The fix uses random_int() which generates cryptographically secure random integers.random_int() uses the operating system's source of randomness.The generated values are suitable for security-sensitive operations.

Vulnerable Code

srand(time(NULL));
int token = rand() % 1000000;
string sessionId = to_string(token);

Fixed Code

#include <random>
std::random_device rd;
std::uniform_int_distribution<int> dist(0, 999999);
int token = dist(rd);
string sessionId = to_string(token);

Fix Explanation

The vulnerable code uses rand() which is not cryptographically secure.The fix uses std::random_device which provides high-quality random numbers.random_device uses hardware entropy sources when available.The generated values are suitable for security-sensitive operations.

Need more help in preventing Insecure Randomness?

Mobb supports fixing many forms of Insecure Randomness vulnerabilities, and can mitigate your issues in batch.

Start now for free at app.mobb.ai

We’d love your feedback!

We’re excited to hear your thoughts and ideas about fixing vulnerabilities.

Book a meeting or Contact us if you have any corrections, questions or suggestions.

PreviousInsecure Cookie Vulnerabilities NextMissing Check against Null

Last updated 16 hours ago

Was this helpful?