CWE-334 Small Space of Random Values
Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged random values that come from too small a space (too few possibilities) or are generated in a predictable way. This is common with short numeric codes, small-token IDs, or PRNGs not meant for security.
Why it matters
Small or predictable random values can be guessed.
- Token guessing: password reset tokens, API keys, session IDs, invite codes can be brute-forced.
- Account takeover: guessed reset/verify tokens lead directly to takeover.
- Fraud/abuse: predictable promo/invite codes get harvested.
Safer examples
1) Use cryptographically secure random generators
import secrets
token = secrets.token_urlsafe(32) # ~256 bits
import { randomBytes } from "crypto";
const token = randomBytes(32).toString("base64url");
2) If you use short codes, compensate
Short codes (e.g., 6 digits) need strong rate limits, expiry, and attempt caps.
3) Ensure enough entropy for the use case
Session/auth tokens should be high entropy (e.g., 128–256 bits), not "8 chars".
How SiteShadow detects it (high level)
- Detects security-sensitive tokens/IDs generated from small alphabets/lengths or insecure PRNGs.
- Flags uses where the token gates authentication, password reset, or authorization.
References
- CWE-334: https://cwe.mitre.org/data/definitions/334.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.