CWE-330 Use of Insufficiently Random Values

Description

Use of Insufficiently Random Values

Reference: https://cwe.mitre.org/data/definitions/330.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1

    public ResponseEntity<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel1(
            @RequestParam Map<String, String> queryParams) {
        String password = queryParams.get(PASSWORD_PARAM);

        // No password param: return the challenge hash
        if (password == null || password.isEmpty()) {
            return new ResponseEntity<>(
                    new GenericVulnerabilityResponseBean<>(
                            "CHALLENGE: A user's password is stored as MD5 hash: "
                                    + LEVEL1_HASH
                                    + " — Crack it and enter the original password!",
                            false),
                    HttpStatus.OK);
        }

        // Verify the guess
        String guessHash = DigestUtils.md5Hex(password);
        if (guessHash.equals(LEVEL1_HASH)) {
        // ... (truncated for brevity)

Deterministic Fix

✅ Secure Implementation

    public ResponseEntity<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel4(
            @RequestParam Map<String, String> queryParams) {
        String password = queryParams.get(PASSWORD_PARAM);

        if (password == null || password.isEmpty()) {
            return new ResponseEntity<>(
                    new GenericVulnerabilityResponseBean<>(
                            "CHALLENGE: The system 'encrypts' passwords using Base64 encoding. "
                                    + "The stored password is: "
                                    + LEVEL4_ENCODED
                                    + " — Decode it and enter the original password!",
                            false),
                    HttpStatus.OK);
        }

        if (password.equals(LEVEL4_SECRET)) {
            return new ResponseEntity<>(
                    new GenericVulnerabilityResponseBean<>(
                            "Correct! The password was '"
                                    + LEVEL4_SECRET
                                    + "'. Base64 is an encoding, NOT encryption."
                                    + " It provides zero security — anyone can decode it instantly.",
                            true),
                    HttpStatus.OK);
        } else {
        // ... (truncated for brevity)

Detection Pattern

Look for these patterns in your codebase:

# Find insecure random usage
grep -rn "new Random()\|Math.random()" --include="*.java"

# Find security-related random usage
grep -rn "token\|secret\|key" --include="*.java" | grep -i random

Remediation Steps

Replace Random with SecureRandom for security-sensitive values
Use SecureRandom for session tokens, CSRF tokens, API keys
Ensure sufficient entropy in random generation
Avoid seeding SecureRandom with predictable values

Key Imports


import java.security.SecureRandom;

import java.util.UUID;

Verification

After remediation:

Re-run SAST scan - CWE-330 should be resolved
Verify SecureRandom is used for security tokens
Check that tokens are not predictable

Trigger Examples

Fix CWE-330 vulnerability
Resolve Use of Insufficiently Random Values issue
Secure this Java code against use of insufficiently random values
SAST reports CWE-330

Common Vulnerable Locations

Layer	Files	Patterns

| Security | *Token*.java | Token generation |

| Utility | *Util.java | ID generation |

| Service | *Service.java | Secret generation |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

cwe-330-weak-prng