🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Insecure Random Number Generator

The usage of an insecure pseudo-random number generator for security purposes is dangerous as it can make passwords, API keys, or other secrets guessable. While random number generators serve various purposes, not all generators or their usage are suitable for security.

For instance, a generator requires a strong seed for initialization; otherwise, the sequence of random numbers can be guessed.

Remediation

  • Use a Pseudo-Random Number Generator (PRNG) with a strong random seed.
  • Utilize hardware-based PRNGs.

Metadata

  • Severity: medium
  • Slug: insecure-random-number-generator

CWEs

  • 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • 337: Predictable Seed in Pseudo-Random Number Generator (PRNG)

OWASP

  • A02:2021: Cryptographic Failures

Available Labs

Open C labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.