CWE-340: Generation of Predictable Numbers or Identifiers

Export to Word

Description

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Extended Description

N/A


ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified


Observed Examples (CVEs)

Related Attack Patterns (CAPEC)

N/A


Attack TTPs

N/A

Modes of Introduction

Phase Note
Architecture and Design N/A
Implementation N/A

Common Consequences

Potential Mitigations

Applicable Platforms


Demonstrative Examples

Intro: This code generates a unique random identifier for a user's session.

Body: Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

function generateSessionID($userID){ srand($userID); return rand(); }

Notes

← Back to CWE list