CWE-330 Use of Insufficiently Random Values

What this means

SiteShadow flagged values that are meant to be unpredictable (tokens, IDs, salts, nonces) but are generated with insufficient randomness.

Why it matters

Predictable values can be brute-forced or guessed.

• Token guessing can lead to account takeover or unauthorized access.
• Security bypass when "random" IDs become enumerable or predictable.
• Weak randomness often undermines otherwise-correct security designs.

Safer examples

1) Use a cryptographically secure RNG

See CWE-338 / R01 for concrete examples.

2) Use adequate length/entropy

Use at least 128 bits of entropy for tokens and reset links.

3) Avoid predictable sources

Don't derive secrets from timestamps, user IDs, counters, or Math.random().

How SiteShadow detects it (high level)

• Flags weak RNG usage in security-sensitive contexts.
• Detects token generation patterns based on predictable inputs (time, counters, IDs).

References

• CWE-330: https://cwe.mitre.org/data/definitions/330.html

---

← Back to Vulnerability Library