Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Insecure Randomness and How Does it Work?
  • One Simple Insecure Randomness Example
  • Insecure Randomness Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing Insecure Randomness?
  • We’d love your feedback!

Was this helpful?

  1. Fixing Guides

Insecure Randomness

Learn how to prevent insecure randomness vulnerabilities with real code examples and best practices. Protect your applications from predictable random number generation and security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Insecure Randomness and How Does it Work?

Insecure Randomness is a security vulnerability that occurs when applications use weak random number generators for security-critical operations. It happens when developers use predictable random number generation methods instead of cryptographically secure alternatives.

Using weak random number generators can lead to various security issues:

  • Predictable session IDs or tokens

  • Weak cryptographic keys

  • Guessable password reset codes

  • Vulnerable temporary file names

  • Exploitable game mechanics or gambling systems

This guide covers Insecure Randomness vulnerabilities, examples, prevention methods, and how to implement secure random number generation using real-world techniques.

One Simple Insecure Randomness Example

Consider this classic example of generating a session token:

String sessionToken = String.valueOf(Math.random() * 1000000);

An attacker could predict the next token because:

Math.random() uses a weak pseudo-random number generator

The resulting tokens would be:

Using Math.random(): Predictable sequence based on seed

This allows attackers to potentially guess valid session tokens and hijack user sessions.

Insecure Randomness Prevention Methods: How to Fix Your Code

The most efficient way to fix an Insecure Randomness issue in your code is using cryptographically secure random number generators.

Secure random number generators use entropy from the system to generate unpredictable values, making them suitable for security-critical operations. They ensure that generated values cannot be predicted even if an attacker knows previous values.

Code Samples

Vulnerable Code

Random random = new Random();
String token = String.valueOf();

Fixed Code

SecureRandom secureRandom = new SecureRandom();
String token = String.valueOf(secureRandom.nextInt(1000000));

Fix Explanation

The vulnerable code uses java.util.Random which is not cryptographically secure.The fix uses SecureRandom which provides cryptographically strong random numbers.SecureRandom uses the operating system's entropy pool for better randomness.The generated values are suitable for security-sensitive operations.

Vulnerable Code

const token = Math.floor(Math.random() * 1000000);
const sessionId = token.toString();

Fixed Code

const crypto = require('crypto');
const token = crypto.randomInt(1000000);
const sessionId = token.toString();

Fix Explanation

The vulnerable code uses Math.random() which is not cryptographically secure.The fix uses the crypto.randomInt() method from Node's crypto module.The crypto module provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.

Vulnerable Code

import random
token = random.randint(0, 1000000)
session_id = str(token)

Fixed Code

import secrets
token = secrets.randbelow(1000000)
session_id = str(token)

Fix Explanation

The vulnerable code uses random.randint which is not cryptographically secure.The fix uses the secrets module which is designed for generating cryptographic secrets.The secrets module provides methods specifically for security-sensitive operations.The generated values are suitable for tokens, keys, and other secure values.

Vulnerable Code

Random random = new Random();
string token = random.Next(1000000).ToString();

Fixed Code

using System.Security.Cryptography;
string token = RandomNumberGenerator.GetInt32(1000000).ToString();

Fix Explanation

The vulnerable code uses System.Random which is not cryptographically secure.The fix uses RandomNumberGenerator from System.Security.Cryptography.RandomNumberGenerator provides cryptographically strong random numbers.The generated values are suitable for security-sensitive operations.

Vulnerable Code

$token = rand(0, 1000000);
$sessionId = strval($token);

Fixed Code

$token = random_int(0, 1000000);
$sessionId = strval($token);

Fix Explanation

The vulnerable code uses rand() which is not cryptographically secure.The fix uses random_int() which generates cryptographically secure random integers.random_int() uses the operating system's source of randomness.The generated values are suitable for security-sensitive operations.

Vulnerable Code

srand(time(NULL));
int token = rand() % 1000000;
string sessionId = to_string(token);

Fixed Code

#include <random>
std::random_device rd;
std::uniform_int_distribution<int> dist(0, 999999);
int token = dist(rd);
string sessionId = to_string(token);

Fix Explanation

The vulnerable code uses rand() which is not cryptographically secure.The fix uses std::random_device which provides high-quality random numbers.random_device uses hardware entropy sources when available.The generated values are suitable for security-sensitive operations.

Need more help in preventing Insecure Randomness?

We’d love your feedback!

We’re excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousInsecure Cookie VulnerabilitiesNextMissing Check against Null

Last updated 2 months ago

Was this helpful?

supports fixing many forms of Insecure Randomness vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions.

Mobb
app.mobb.ai
Book a meeting
Contact us