Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code is using Go’s math/rand package to generate random numbers, which is not secure for cryptographic purposes. Instead, crypto/rand should be used to ensure randomness that can’t be easily predicted.
Impact#
If attackers can predict random values (such as session tokens, API keys, or passwords), they could hijack accounts or gain unauthorized access to sensitive data. This weak randomness undermines the security of cryptographic operations and can lead to serious breaches.