Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code is generating cryptographic keys using System.Random, which is not secure for cryptographic purposes because its output can be predicted. You should use System.Security.Cryptography.RandomNumberGenerator to generate cryptographic keys safely.
Impact#
If an attacker can predict or reproduce the keys generated by System.Random, they may be able to decrypt sensitive data, forge signatures, or impersonate users. This exposes the application to serious risks such as data breaches and loss of confidentiality.