logo

CWE-330 - Use of Insufficiently Random Values

CWE-330 High

  • Abstraction:
  • Class
  • Structure:
  • Simple
  • Status:
  • Stable
Weakness Name

Use of Insufficiently Random Values

Description

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

Common Consequences

Scope: Confidentiality, Other

Impact: Other

Notes: When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.

Scope: Access Control, Other

Impact: Bypass Protection Mechanism, Other

Notes: If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.

Scope: Access Control

Impact: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Notes: When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2024-02-29

Free security scan for your website