Cryptography / Predictable Exact Value from Previous Values

Description

Predictable Exact Value from Previous Values (CWE-329) is a vulnerability within the cryptography category. It occurs when an attacker can predict the exact value of a certain cryptographic element that is generated using an algorithm that is based on the previous value of the same element. This can be exploited by an attacker to gain access to confidential data or to spoof authentication credentials (OWASP Testing Guide). This vulnerability is commonly found in web and API applications.

Risk

Predictable Exact Value from Previous Values can lead to the attacker gaining access to confidential data, spoofing authentication credentials and, more generally, compromising the security of the system. This vulnerability can result in a high risk for the system and its users.

Solution

The best solution for this vulnerability is to use a secure random number generator for the cryptographic elements. This should generate unpredictable values that are harder for an attacker to guess. Additionally, it's also important to ensure that the cryptographic elements are not deterministic.

Example

The following example of code contains Predictable Exact Value from Previous Values vulnerability.

// Vulnerable code
var token = 0;
function generateToken() {
    token ++;
    return token;
}

In this example, the token is generated by incrementing the previous token value. This makes it easy for an attacker to predict the exact value of the token, making it vulnerable to attack.