SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

R01 Weak Randomness

What this means

SiteShadow flagged use of non-cryptographic randomness for security-sensitive values (tokens, reset links, session IDs, invitation codes, API keys, nonce/IV generation).

Why it matters

Predictable randomness can enable guessing attacks and token compromise.

Safer examples

1) Use a cryptographically secure RNG

import { randomBytes } from "node:crypto";
const token = randomBytes(32).toString("hex");
import secrets
token = secrets.token_urlsafe(32)

2) Don't use Math.random() / random() for secrets

Those are fine for UI effects and simulations, not auth tokens.

3) Keep token length sufficient

Use at least 128 bits of entropy for security tokens (often 16+ bytes).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.