Insecure Randomness
Learn how to prevent insecure randomness vulnerabilities with real code examples and best practices. Protect your applications from predictable random number generation and security threats.
Tools recognizing this:
Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL
What is Insecure Randomness and How Does it Work?
Insecure Randomness is a security vulnerability that occurs when applications use weak random number generators for security-critical operations. It happens when developers use predictable random number generation methods instead of cryptographically secure alternatives.
Using weak random number generators can lead to various security issues:
Predictable session IDs or tokens
Weak cryptographic keys
Guessable password reset codes
Vulnerable temporary file names
Exploitable game mechanics or gambling systems
This guide covers Insecure Randomness vulnerabilities, examples, prevention methods, and how to implement secure random number generation using real-world techniques.
One Simple Insecure Randomness Example
Consider this classic example of generating a session token:
String sessionToken = String.valueOf(Math.random() * 1000000);An attacker could predict the next token because:
Math.random() uses a weak pseudo-random number generator
The resulting tokens would be:
Using Math.random(): Predictable sequence based on seed
This allows attackers to potentially guess valid session tokens and hijack user sessions.
Insecure Randomness Prevention Methods: How to Fix Your Code
The most efficient way to fix an Insecure Randomness issue in your code is using cryptographically secure random number generators.
Secure random number generators use entropy from the system to generate unpredictable values, making them suitable for security-critical operations. They ensure that generated values cannot be predicted even if an attacker knows previous values.
Code Samples
Vulnerable Code
Random random = new Random();
String token = String.valueOf();Fixed Code
SecureRandom secureRandom = new SecureRandom();
String token = String.valueOf(secureRandom.nextInt(1000000));Fix Explanation
The vulnerable code uses java.util.Random which is not cryptographically secure.The fix uses SecureRandom which provides cryptographically strong random numbers.SecureRandom uses the operating system's entropy pool for better randomness.The generated values are suitable for security-sensitive operations.
Vulnerable Code
const token = Math.floor(Math.random() * 1000000);
const sessionId = token.toString();Fixed Code
const crypto = require('crypto');
const token = crypto.randomInt(1000000);
const sessionId = token.toString();Fix Explanation
The vulnerable code uses Math.random() which is not cryptographically secure.The fix uses the crypto.randomInt() method from Node's crypto module.The crypto module provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.
Vulnerable Code
import random
token = random.randint(0, 1000000)
session_id = str(token)Fixed Code
import secrets
token = secrets.randbelow(1000000)
session_id = str(token)Fix Explanation
The vulnerable code uses random.randint which is not cryptographically secure.The fix uses the secrets module which is designed for generating cryptographic secrets.The secrets module provides methods specifically for security-sensitive operations.The generated values are suitable for tokens, keys, and other secure values.
Vulnerable Code
Random random = new Random();
string token = random.Next(1000000).ToString();Fixed Code
using System.Security.Cryptography;
string token = RandomNumberGenerator.GetInt32(1000000).ToString();Fix Explanation
The vulnerable code uses System.Random which is not cryptographically secure.The fix uses RandomNumberGenerator from System.Security.Cryptography.RandomNumberGenerator provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.
Vulnerable Code
$token = rand(0, 1000000);
$sessionId = strval($token);Fixed Code
$token = random_int(0, 1000000);
$sessionId = strval($token);Fix Explanation
The vulnerable code uses rand() which is not cryptographically secure.The fix uses random_int() which generates cryptographically secure random integers.random_int() uses the operating system's source of randomness.The generated values are suitable for security-sensitive operations.
Vulnerable Code
srand(time(NULL));
int token = rand() % 1000000;
string sessionId = to_string(token);Fixed Code
#include <random>
std::random_device rd;
std::uniform_int_distribution<int> dist(0, 999999);
int token = dist(rd);
string sessionId = to_string(token);Fix Explanation
The vulnerable code uses rand() which is not cryptographically secure.The fix uses std::random_device which provides high-quality random numbers.random_device uses hardware entropy sources when available.The generated values are suitable for security-sensitive operations.
Need more help in preventing Insecure Randomness?
Mobb supports fixing many forms of Insecure Randomness vulnerabilities, and can mitigate your issues in batch.
Start now for free at app.mobb.ai
We’d love your feedback!
We’re excited to hear your thoughts and ideas about fixing vulnerabilities.
Book a meeting or Contact us if you have any corrections, questions or suggestions.
Last updated
Was this helpful?