CWE-334 Small Space of Random Values

What this means

SiteShadow flagged random values that come from too small a space (too few possibilities) or are generated in a predictable way. This is common with short numeric codes, small-token IDs, or PRNGs not meant for security.

Why it matters

Small or predictable random values can be guessed.

• Token guessing: password reset tokens, API keys, session IDs, invite codes can be brute-forced.
• Account takeover: guessed reset/verify tokens lead directly to takeover.
• Fraud/abuse: predictable promo/invite codes get harvested.

Safer examples

1) Use cryptographically secure random generators

import secrets

token = secrets.token_urlsafe(32)  # ~256 bits

import { randomBytes } from "crypto";

const token = randomBytes(32).toString("base64url");

2) If you use short codes, compensate

Short codes (e.g., 6 digits) need strong rate limits, expiry, and attempt caps.

3) Ensure enough entropy for the use case

Session/auth tokens should be high entropy (e.g., 128–256 bits), not "8 chars".

How SiteShadow detects it (high level)

• Detects security-sensitive tokens/IDs generated from small alphabets/lengths or insecure PRNGs.
• Flags uses where the token gates authentication, password reset, or authorization.

References

• CWE-334: https://cwe.mitre.org/data/definitions/334.html

---

← Back to Vulnerability Library