Cryptography / Predictable Value Range from Previous Values

Description

Predictable Value Range from Previous Values (CWE-328) is a vulnerability in cryptography found in web and API applications. It occurs when a user of an application can guess the range of the random numbers that are generated because the range is too small or predictable. This can lead to an attacker predicting the value of the code, allowing them to gain access to the system. The Common Weakness Enumeration (CWE) directory lists this vulnerability as CWE-328. The OWASP Testing Guide also has additional resources to help understand and test for this vulnerability.

Risk

Predictable Value Range from Previous Values is a high-impact vulnerability, as it can potentially lead to the attacker gaining access to the system. It is also considered a high-risk vulnerability, as it is relatively easy to exploit, given the right conditions.

Solution

The best way to fix this vulnerability is to ensure that the range of random numbers that are generated is large enough to prevent an attacker from guessing the values. Additionally, the application should also use cryptographic functions to securely generate and store the random numbers, as this will make it more difficult for an attacker to predict the values.

Example

The following is an example of vulnerable code from the CVE directory:

int getRandomNumber() {
  static int prevNum = 0;
  int randomNum;
 
  // Generate a random number between 0 and 10
  randomNum = (prevNum + 1) % 10;
 
  // Store the generated number
  prevNum = randomNum;
 
  return randomNum;
}

This code will generate a random number between 0 and 10, however, since the range is predictable, an attacker can easily guess the value and gain access to the system.