CWE-340: Generation of Predictable Numbers or Identifiers

Causes

• This code generates a unique random identifier for a user's session. Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.,This example also exhibits a Small Seed Space (CWE-339).

Remediation

• Use safe APIs
• Centralize the control
• Add regression tests
• Review logs and telemetry for attempted abuse

Detection

• Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Related CWEs

• CWE-330: Use of Insufficiently Random Values
• CWE-384: Session Fixation
• CWE-341: Predictable from Observable State
• CWE-342: Predictable Exact Value from Previous Values
• CWE-343: Predictable Value Range from Previous Values
• CWE-61: UNIX Symbolic Link (Symlink) Following

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.