From 5a048febcf04e1177171a36b7fe5817918819e4c Mon Sep 17 00:00:00 2001 From: ebakrra Date: Tue, 3 Dec 2024 15:54:47 +0000 Subject: [PATCH 01/22] CWE-330: Use of Insufficiently Random Values Documentation Signed-off-by: ebakrra --- .../CWE-693/CWE-330/README.md | 97 +++++++++++++++++++ .../CWE-693/CWE-330/compliant01.py | 10 +- .../CWE-693/CWE-330/noncompliant01.py | 8 +- 3 files changed, 106 insertions(+), 9 deletions(-) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md new file mode 100644 index 00000000..94be035f --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -0,0 +1,97 @@ +# CWE-330: Use of Insufficiently Random Values + +When programming cryptographic functions ensure to use a Pseudo-Random Number Generator (PRNG) source that is random enough to be suitable for encryption. + +Certain algorithms can create sequences of numbers that approximate random distributions. These algorithms, known as pseudorandom number generators (PRNGs) are numbers generated by a computational process and appear random, even though they are produced by a deterministic algorithm. This means that, unlike truly random numbers, which are inherently unpredictable, pseudorandom numbers are generated in a predictable sequence as long as you know the starting point, or the seed, and the algorithm used to generate them. + +PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. + +Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module however can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister [Mersenne Twister - an overview | ScienceDirect Topics], which is a deterministic algorithm, hence, if an attacker knows or can guess the seed value, they can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. + +Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. + +Instead, for generating random numbers, it is recommended to use a more robust option, like Python's secrets module. + +## Non-compliant Code Example + +In `noncompliant01.py`, we generate a random web token using Python's random module. This makes the token predictable and vulnerable to exploitation, as the sequence of numbers is always the same for any specified seed value. + +*[noncompliant01.py](noncompliant01.py):* + +```py +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ +import random + + +def generate_web_token(): + """Poor random number generator""" + return random.randrange(int("1" + "0" * 31), int("9" * 32), 1) + + +##################### +# attempting to exploit above code example +##################### +TOKEN = generate_web_token() +print(f"Your insecure token is: {TOKEN}") +``` + +## Compliant Code Example + + [!NOTE] +> The `secrets` module `os.urandom()` is called by `"secrets.token_urlsafe()"` causing its cryptographic strength to depend on the operating system and its entropy sources. +Pure randomness can not be produced in software alone [[cloudflare 2017]](https://blog.cloudflare.com/randomness-101-lavarand-in-production/). + + The `compliant01.py` solution uses the secrets module to generate the random numbers. The secrets module provides access to the most secure source of randomness that the os provides through `os.urandom()`. + +*[compliant01.py](compliant01.py):* + +```py +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +import secrets + + +def generate_web_token(): + """Better cryptographic number generator""" + return secrets.token_urlsafe() + + +##################### +# attempting to exploit above code example +##################### +TOKEN = generate_web_token() +print(f"Your secure token is: {TOKEN}") +``` + +## Automated Detection + +|Tool|Version|Checker|Description| +|:----|:----|:----|:----| +|[sonarlint](https://www.sonarsource.com/products/sonarlint/)|9.0.0.75308|SonarQube 9.7+|When in Connected mode Sonarlint can be configured to detect the Sonar rule ["Using pseudorandom number generators (PRNGs) is security-sensitive"](https://rules.sonarsource.com/python/RSPEC-2245/)| +|[Bandit](https://bandit.readthedocs.io/en/latest/)|1.7.4|[B311](https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html?highlight=B311#b311-random)|Standard pseudo-random generators are not suitable for security/cryptographic purposes.| + +## Related Guidelines + +||| +|:---|:---| +|[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[MSC30-C. Do not use the rand() function for generating pseudorandom numbers](https://wiki.sei.cmu.edu/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers)| +|[SEI CERT C++ Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682)|[MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC50-CPP.+Do+not+use+std%3A%3Arand%28%29+for+generating+pseudorandom+numbers)| +|[The CERT C++ Secure Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682) |[VOID FLP02-CPP. Avoid using floating point numbers when precise computation is needed](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046687)| +|[SEI CERT Java Coding Standards](https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards)| [MSC02-J. Generate strong random numbers](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers)| +|MITRE CWE Pillar| [CWE-693: Protection Mechanism Failure (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/693.html)| +|MITRE CWE Class|[CWE-330, Use of Insufficiently Random Values](http://cwe.mitre.org/data/definitions/330.html)| + +## Biblography + +||| +|:---|:---| +|[[Python docs - random]](https://docs.python.org/3/library/random.html)|Python Software Foundation. (2023). random- Generate pseudo-random numbers[online].Available from: [Python docs - random](https://docs.python.org/3/library/random.html) [accessed 23 August 2023].| +|[[Python docs - secrets]](https://docs.python.org/3/library/secrets.html)|Python Software Foundation. (2023). secrets - Generate secure random numbers for managing secrets [online]. Available from: [Python docs - secrets](https://docs.python.org/3/library/secrets.html) [accessed 23 August 2023].| +|[[Python docs - os]](https://docs.python.org/3/library/os.html)|Python Software Foundation. (2023). os - Miscellaneous operating system interfaces [online].Available from: [Python docs - os](https://docs.python.org/3/library/os.html) [accessed 23 August 2023].| +|[sonar docs - Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/)|Sonar Rules - Using pseudorandom number generators (PRNGs) is security-sensitive. Available from [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/) [accessed 7 September 2023].| +|[[Cloudflare 2017]](https://blog.cloudflare.com/)| [Randomness 101: LavaRand in Production (cloudflare.com)](https://blog.cloudflare.com/randomness-101-lavarand-in-production/)| +|LavaRnd|[LavaRnd](https://www.lavarand.org/)| +|[Science Direct - Mersenne Twister]|[Mersenne Twister - an overview / ScienceDirect Topics](https://www.sciencedirect.com/topics/computer-science/mersenne-twister)| diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py index bb28e6b3..79ed56c2 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py @@ -2,15 +2,15 @@ # SPDX-License-Identifier: MIT """ Compliant Code Example """ import secrets - - + + def generate_web_token(): """Better cryptographic number generator""" return secrets.token_urlsafe() - - + + ##################### # attempting to exploit above code example ##################### TOKEN = generate_web_token() -print(f"Your secure tokens is: {TOKEN}") +print(f"Your secure token is: {TOKEN}") diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py index 6d71121f..8ba4b03e 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py @@ -2,13 +2,13 @@ # SPDX-License-Identifier: MIT """ Non-compliant Code Example """ import random - - + + def generate_web_token(): """Poor random number generator""" return random.randrange(int("1" + "0" * 31), int("9" * 32), 1) - - + + ##################### # attempting to exploit above code example ##################### From d108ea321941ac85d58cc7f838a2b0c63a3638f7 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:18:36 +0000 Subject: [PATCH 02/22] Update compliant01.py Updated the blank spaces. Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- .../CWE-693/CWE-330/compliant01.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py index 79ed56c2..673e4de9 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/compliant01.py @@ -2,13 +2,13 @@ # SPDX-License-Identifier: MIT """ Compliant Code Example """ import secrets - - + + def generate_web_token(): """Better cryptographic number generator""" return secrets.token_urlsafe() - - + + ##################### # attempting to exploit above code example ##################### From 6357b3a4d04acf1b9530f7d8f1e272f3cf902927 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:53:49 +0000 Subject: [PATCH 03/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: myteron Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 94be035f..25f50646 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -94,4 +94,6 @@ print(f"Your secure token is: {TOKEN}") |[sonar docs - Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/)|Sonar Rules - Using pseudorandom number generators (PRNGs) is security-sensitive. Available from [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/) [accessed 7 September 2023].| |[[Cloudflare 2017]](https://blog.cloudflare.com/)| [Randomness 101: LavaRand in Production (cloudflare.com)](https://blog.cloudflare.com/randomness-101-lavarand-in-production/)| |LavaRnd|[LavaRnd](https://www.lavarand.org/)| -|[Science Direct - Mersenne Twister]|[Mersenne Twister - an overview / ScienceDirect Topics](https://www.sciencedirect.com/topics/computer-science/mersenne-twister)| +[MATSUMOTO, NISHIMURA 1998] Mersenne Twister: A 623-Dimensionally +Equidistributed Uniform Pseudo-Random +Number Generator, available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995), [accessed December 2024]| From 2eb232f29233c36474bb5ac761f1bac6bda5ece3 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:55:12 +0000 Subject: [PATCH 04/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: myteron Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 25f50646..37a45a43 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -6,7 +6,8 @@ Certain algorithms can create sequences of numbers that approximate random distr PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. -Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module however can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister [Mersenne Twister - an overview | ScienceDirect Topics], which is a deterministic algorithm, hence, if an attacker knows or can guess the seed value, they can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. +Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` +[MATSUMOTO, NISHIMURA 1998] (https://dl.acm.org/doi/pdf/10.1145/272991.272995), which is a deterministic algorithm, that, given a particular input, will always produce the same output [Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm). An attacker knowing or can guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. From 0440cff496b5e31240afd375f4e7d03747ed82ca Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:55:22 +0000 Subject: [PATCH 05/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: myteron Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 37a45a43..da956454 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -11,7 +11,8 @@ Python's random module is a standard library module that provides functions to g Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. -Instead, for generating random numbers, it is recommended to use a more robust option, like Python's secrets module. +Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. + ## Non-compliant Code Example From 871c129ecae001a2793ee062a0058ddfdeaf5a4d Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:55:51 +0000 Subject: [PATCH 06/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: myteron Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index da956454..bbca9516 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -45,7 +45,8 @@ print(f"Your insecure token is: {TOKEN}") > The `secrets` module `os.urandom()` is called by `"secrets.token_urlsafe()"` causing its cryptographic strength to depend on the operating system and its entropy sources. Pure randomness can not be produced in software alone [[cloudflare 2017]](https://blog.cloudflare.com/randomness-101-lavarand-in-production/). - The `compliant01.py` solution uses the secrets module to generate the random numbers. The secrets module provides access to the most secure source of randomness that the os provides through `os.urandom()`. + The `compliant01.py` solution uses the `secrets` module to generate the random numbers. The `secrets` module provides access to the most secure source of randomness that an OS provides through `os.urandom()`. + *[compliant01.py](compliant01.py):* From 16daa7fe075b3f3729a1f3ee4ce6564bf0ea6838 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:56:13 +0000 Subject: [PATCH 07/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: myteron Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index bbca9516..f068ffa3 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -82,7 +82,6 @@ print(f"Your secure token is: {TOKEN}") |:---|:---| |[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[MSC30-C. Do not use the rand() function for generating pseudorandom numbers](https://wiki.sei.cmu.edu/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers)| |[SEI CERT C++ Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682)|[MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC50-CPP.+Do+not+use+std%3A%3Arand%28%29+for+generating+pseudorandom+numbers)| -|[The CERT C++ Secure Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682) |[VOID FLP02-CPP. Avoid using floating point numbers when precise computation is needed](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046687)| |[SEI CERT Java Coding Standards](https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards)| [MSC02-J. Generate strong random numbers](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers)| |MITRE CWE Pillar| [CWE-693: Protection Mechanism Failure (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/693.html)| |MITRE CWE Class|[CWE-330, Use of Insufficiently Random Values](http://cwe.mitre.org/data/definitions/330.html)| From 4b600554cd2e3cc365fd8ff33e0a5b715efc3b9d Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:22:18 +0000 Subject: [PATCH 08/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index f068ffa3..9930e753 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -7,7 +7,7 @@ Certain algorithms can create sequences of numbers that approximate random distr PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` -[MATSUMOTO, NISHIMURA 1998] (https://dl.acm.org/doi/pdf/10.1145/272991.272995), which is a deterministic algorithm, that, given a particular input, will always produce the same output [Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm). An attacker knowing or can guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. +[[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or can guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. From 21ef86c8c978457602b9863c4d571889b97d2c26 Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:22:28 +0000 Subject: [PATCH 09/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 9930e753..28e7bf28 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -96,6 +96,4 @@ print(f"Your secure token is: {TOKEN}") |[sonar docs - Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/)|Sonar Rules - Using pseudorandom number generators (PRNGs) is security-sensitive. Available from [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/) [accessed 7 September 2023].| |[[Cloudflare 2017]](https://blog.cloudflare.com/)| [Randomness 101: LavaRand in Production (cloudflare.com)](https://blog.cloudflare.com/randomness-101-lavarand-in-production/)| |LavaRnd|[LavaRnd](https://www.lavarand.org/)| -[MATSUMOTO, NISHIMURA 1998] Mersenne Twister: A 623-Dimensionally -Equidistributed Uniform Pseudo-Random -Number Generator, available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995), [accessed December 2024]| +|[MATSUMOTO, NISHIMURA 1998]|Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator, available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995), [accessed December 2024]| From f5283d4354d59b577ec64f31b2e8a2b68aa86ac7 Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:22:58 +0000 Subject: [PATCH 10/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 28e7bf28..b7fb8cfd 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -13,7 +13,6 @@ Therefore, the random module is unsuitable for applications requiring high secur Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. - ## Non-compliant Code Example In `noncompliant01.py`, we generate a random web token using Python's random module. This makes the token predictable and vulnerable to exploitation, as the sequence of numbers is always the same for any specified seed value. From 30c7609c10c912eb58854c86788fcbe515b4e0cd Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:23:16 +0000 Subject: [PATCH 11/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- .../CWE-693/CWE-330/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index b7fb8cfd..929c75ba 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -24,13 +24,13 @@ In `noncompliant01.py`, we generate a random web token using Python's random mod # SPDX-License-Identifier: MIT """ Non-compliant Code Example """ import random - - + + def generate_web_token(): """Poor random number generator""" return random.randrange(int("1" + "0" * 31), int("9" * 32), 1) - - + + ##################### # attempting to exploit above code example ##################### From 740d618d490ddcfb805efd39a4e90247e78af86e Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:23:26 +0000 Subject: [PATCH 12/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 929c75ba..ae2e616a 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -46,7 +46,6 @@ Pure randomness can not be produced in software alone [[cloudflare 2017]](https: The `compliant01.py` solution uses the `secrets` module to generate the random numbers. The `secrets` module provides access to the most secure source of randomness that an OS provides through `os.urandom()`. - *[compliant01.py](compliant01.py):* ```py From fcbe922043be9dfd5ee72d0e1bb8cdbf802729e6 Mon Sep 17 00:00:00 2001 From: myteron Date: Thu, 12 Dec 2024 09:23:38 +0000 Subject: [PATCH 13/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Signed-off-by: myteron --- .../CWE-693/CWE-330/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index ae2e616a..273d245c 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -53,13 +53,13 @@ Pure randomness can not be produced in software alone [[cloudflare 2017]](https: # SPDX-License-Identifier: MIT """ Compliant Code Example """ import secrets - - + + def generate_web_token(): """Better cryptographic number generator""" return secrets.token_urlsafe() - - + + ##################### # attempting to exploit above code example ##################### From 514e188a02c384118614fa4a4e7ecaceef30ef12 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 12 Dec 2024 09:53:54 +0000 Subject: [PATCH 14/22] fixed all sorts of formatting and linting issues that are to hard to communicate via review Signed-off-by: Helge Wehder --- .../CWE-693/CWE-330/README.md | 20 ++++++++++--------- .../CWE-693/CWE-330/noncompliant01.py | 8 ++++---- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 273d245c..1a46fd04 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -1,8 +1,8 @@ # CWE-330: Use of Insufficiently Random Values -When programming cryptographic functions ensure to use a Pseudo-Random Number Generator (PRNG) source that is random enough to be suitable for encryption. +When programming cryptographic functions ensure to use a Pseudo-Random Number Generator (PRNG) source that is random enough to be suitable for encryption . -Certain algorithms can create sequences of numbers that approximate random distributions. These algorithms, known as pseudorandom number generators (PRNGs) are numbers generated by a computational process and appear random, even though they are produced by a deterministic algorithm. This means that, unlike truly random numbers, which are inherently unpredictable, pseudorandom numbers are generated in a predictable sequence as long as you know the starting point, or the seed, and the algorithm used to generate them. +Certain algorithms can create sequences of numbers that approximate random distributions [[sonar 2024](https://rules.sonarsource.com/python/RSPEC-2245/)]. These algorithms, known as pseudorandom number generators (PRNGs) are numbers generated by a computational process and appear random, even though they are produced by a deterministic algorithm. This means that, unlike truly random numbers, which are inherently unpredictable, pseudorandom numbers are generated in a predictable sequence as long as you know the starting point, or the seed, and the algorithm used to generate them. PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. @@ -36,6 +36,7 @@ def generate_web_token(): ##################### TOKEN = generate_web_token() print(f"Your insecure token is: {TOKEN}") + ``` ## Compliant Code Example @@ -65,6 +66,7 @@ def generate_web_token(): ##################### TOKEN = generate_web_token() print(f"Your secure token is: {TOKEN}") + ``` ## Automated Detection @@ -88,10 +90,10 @@ print(f"Your secure token is: {TOKEN}") ||| |:---|:---| -|[[Python docs - random]](https://docs.python.org/3/library/random.html)|Python Software Foundation. (2023). random- Generate pseudo-random numbers[online].Available from: [Python docs - random](https://docs.python.org/3/library/random.html) [accessed 23 August 2023].| -|[[Python docs - secrets]](https://docs.python.org/3/library/secrets.html)|Python Software Foundation. (2023). secrets - Generate secure random numbers for managing secrets [online]. Available from: [Python docs - secrets](https://docs.python.org/3/library/secrets.html) [accessed 23 August 2023].| -|[[Python docs - os]](https://docs.python.org/3/library/os.html)|Python Software Foundation. (2023). os - Miscellaneous operating system interfaces [online].Available from: [Python docs - os](https://docs.python.org/3/library/os.html) [accessed 23 August 2023].| -|[sonar docs - Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/)|Sonar Rules - Using pseudorandom number generators (PRNGs) is security-sensitive. Available from [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2245/) [accessed 7 September 2023].| -|[[Cloudflare 2017]](https://blog.cloudflare.com/)| [Randomness 101: LavaRand in Production (cloudflare.com)](https://blog.cloudflare.com/randomness-101-lavarand-in-production/)| -|LavaRnd|[LavaRnd](https://www.lavarand.org/)| -|[MATSUMOTO, NISHIMURA 1998]|Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator, available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995), [accessed December 2024]| +|[[Python docs - random](https://docs.python.org/3/library/random.html)]|Python Software Foundation. (2023). random- Generate pseudo-random numbers [online]. Available from: [https://docs.python.org/3/library/random.html](https://docs.python.org/3/library/random.html) [accessed 23 August 2023].| +|[[Python docs - secrets](https://docs.python.org/3/library/secrets.html)]|Python Software Foundation. (2023). secrets - Generate secure random numbers for managing secrets [online]. Available from: [https://docs.python.org/3/library/secrets.html](https://docs.python.org/3/library/secrets.html) [accessed 23 August 2023]| +|[[Python docs - os](https://docs.python.org/3/library/os.html)]|Python Software Foundation. (2023). os - Miscellaneous operating system interfaces [online]. Available from: [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html) [accessed 23 August 2023].| +|[[sonar 2024](https://rules.sonarsource.com/python/RSPEC-2245/)]|Sonar Rules - Using pseudorandom number generators (PRNGs) is security-sensitive [online]. Available from: [https://rules.sonarsource.com/python/RSPEC-2245/](https://rules.sonarsource.com/python/RSPEC-2245/) [accessed 7 September 2023]| +|[[Cloudflare 2017](https://blog.cloudflare.com/)]| Randomness 101: LavaRand in Production (cloudflare.com) [online]. Available from:[https://blog.cloudflare.com/randomness-101-lavarand-in-production/](https://blog.cloudflare.com/randomness-101-lavarand-in-production/). [accessed 12 December 2024]| +|[LavaRnd]|LAVARND ... truely random since 2000 [online]. Available from: [https://www.lavarand.org/](https://www.lavarand.org/) [accessed 12 December 2024]| +|[MATSUMOTO, NISHIMURA 1998]|Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator [online]. Available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995) [accessed 12 December 2024]| diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py index 8ba4b03e..6d71121f 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/noncompliant01.py @@ -2,13 +2,13 @@ # SPDX-License-Identifier: MIT """ Non-compliant Code Example """ import random - - + + def generate_web_token(): """Poor random number generator""" return random.randrange(int("1" + "0" * 31), int("9" * 32), 1) - - + + ##################### # attempting to exploit above code example ##################### diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 21d6964b..3a540092 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -70,7 +70,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-693: Protection Mechanism Failure](https://cwe.mitre.org/data/definitions/693.html)|Prominent CVE| |:----------------------------------------------------------------|:----| |[CWE-184: Incomplete List of Disallowed Input](CWE-693/CWE-184/.)|| -|[CWE-330: Use of Insufficiently Random Values](CWE-693/CWE-330/.)|| +|[CWE-330: Use of Insufficiently Random Values](CWE-693/CWE-330/README.md)|[CVE-2020-7548](https://www.cvedetails.com/cve/CVE-2020-7548),
CVSSv3.1: **9.8**,
EPSS: **0.22** (12.12.2024)| |[CWE-798: Use of hardcoded credentials](CWE-693/CWE-798/.)|| |[CWE-697: Incorrect Comparison](https://cwe.mitre.org/data/definitions/703.html)|Prominent CVE| From 6423f1eab9b7aee63705d86e266dadc021065e54 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Mon, 23 Dec 2024 12:07:55 +0000 Subject: [PATCH 15/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 1a46fd04..41af7f2e 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -7,7 +7,8 @@ Certain algorithms can create sequences of numbers that approximate random distr PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` -[[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or can guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two Random class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. +[[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. + Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. From 6d0307a31912ebea0481cfac3ec3948fb40e53c7 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Mon, 23 Dec 2024 12:08:10 +0000 Subject: [PATCH 16/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 41af7f2e..e1301673 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -6,7 +6,7 @@ Certain algorithms can create sequences of numbers that approximate random distr PRNGs suitable for encryption must mix non-computational sources such as a mouse, keyboard, or even Lava Lamps [LavaRnd] to be random enough for encryption. -Python's random module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` +Python's `random` module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` [[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. From a9c364e8ee4cf9550ac9dcfd04e41269058eb792 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Mon, 23 Dec 2024 12:08:29 +0000 Subject: [PATCH 17/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index e1301673..98e9615c 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -10,7 +10,7 @@ Python's `random` module is a standard library module that provides functions to [[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. -Therefore, the random module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. +Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. From 933a236c240d6e80e6ae119b224afe0f5c9364b5 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Mon, 23 Dec 2024 12:08:53 +0000 Subject: [PATCH 18/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 98e9615c..981d7dc2 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -98,3 +98,4 @@ print(f"Your secure token is: {TOKEN}") |[[Cloudflare 2017](https://blog.cloudflare.com/)]| Randomness 101: LavaRand in Production (cloudflare.com) [online]. Available from:[https://blog.cloudflare.com/randomness-101-lavarand-in-production/](https://blog.cloudflare.com/randomness-101-lavarand-in-production/). [accessed 12 December 2024]| |[LavaRnd]|LAVARND ... truely random since 2000 [online]. Available from: [https://www.lavarand.org/](https://www.lavarand.org/) [accessed 12 December 2024]| |[MATSUMOTO, NISHIMURA 1998]|Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator [online]. Available from: [https://dl.acm.org/doi/pdf/10.1145/272991.272995](https://dl.acm.org/doi/pdf/10.1145/272991.272995) [accessed 12 December 2024]| +|[[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]|Deterministic algorithm [online]. Available from: [https://en.wikipedia.org/wiki/Deterministic_algorithm](https://en.wikipedia.org/wiki/Deterministic_algorithm) [accessed 12 December 2024]| From c6386a997d973d5ccf809daf44b42015987ed5a3 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Thu, 2 Jan 2025 16:19:14 +0000 Subject: [PATCH 19/22] Update README.md Had one too many blank lines! Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 981d7dc2..b72f28a2 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -9,7 +9,6 @@ PRNGs suitable for encryption must mix non-computational sources such as a mouse Python's `random` module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` [[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. - Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. From 96107ef58ea5689ae8def3abae4a0dd9f5a7e9c0 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:21:51 +0000 Subject: [PATCH 20/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: David A. Wheeler Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index b72f28a2..3b832ff8 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -9,7 +9,8 @@ PRNGs suitable for encryption must mix non-computational sources such as a mouse Python's `random` module is a standard library module that provides functions to generate pseudorandom numbers for various distributions. This module can lead to a vulnerability due to its predictability. The random module is based on the Mersenne Twister `MT19937` [[MATSUMOTO, NISHIMURA 1998](https://dl.acm.org/doi/pdf/10.1145/272991.272995)], which is a deterministic algorithm, that, given a particular input, will always produce the same output [[Wikipedia 2024](https://en.wikipedia.org/wiki/Deterministic_algorithm)]. An attacker knowing or guessing the seed value can predict the entire sequence of the pseudorandom numbers. This also means that if two `Random` class objects are created using an identical seed, they will generate the same sequence of numbers, regardless of the Python environment. -Therefore, the `random` module is unsuitable for applications requiring high security as it does not incorporate cryptographic randomness, which means it is not resistant to reverse engineering. Its limited entropy makes it easier for attackers to deduce the internal state of the generator and predict future outputs. +Therefore, the `random` module is unsuitable for applications requiring security as it does not incorporate cryptographic randomness, which means it is predictable. Its use makes it easy for attackers to deduce the internal state of the generator and predict future outputs. + Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. From 2d4ce3a57d18103433afbfb211094d710488e041 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:22:04 +0000 Subject: [PATCH 21/22] Update docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md Co-authored-by: David A. Wheeler Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 3b832ff8..0a06f315 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -12,7 +12,8 @@ Python's `random` module is a standard library module that provides functions to Therefore, the `random` module is unsuitable for applications requiring security as it does not incorporate cryptographic randomness, which means it is predictable. Its use makes it easy for attackers to deduce the internal state of the generator and predict future outputs. -Instead, for generating random numbers, it is recommended to use a more robust option, such as Python's `secrets` module. +Instead, for generating random numbers for security purposes, use an appropriate option, such as Python's `secrets` module. + ## Non-compliant Code Example From 2e76dbb7334251207af9d132610cc2d03a073837 Mon Sep 17 00:00:00 2001 From: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:26:28 +0000 Subject: [PATCH 22/22] Update README.md There were 2 new blank lines after signing off on some changes... updated that now. Signed-off-by: BartyBoi1128 <58297160+BartyBoi1128@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md index 0a06f315..a400cf59 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-330/README.md @@ -11,10 +11,8 @@ Python's `random` module is a standard library module that provides functions to Therefore, the `random` module is unsuitable for applications requiring security as it does not incorporate cryptographic randomness, which means it is predictable. Its use makes it easy for attackers to deduce the internal state of the generator and predict future outputs. - Instead, for generating random numbers for security purposes, use an appropriate option, such as Python's `secrets` module. - ## Non-compliant Code Example In `noncompliant01.py`, we generate a random web token using Python's random module. This makes the token predictable and vulnerable to exploitation, as the sequence of numbers is always the same for any specified seed value.