CWE-341: Predictable from Observable State

Description

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

This code generates a unique random identifier for a user's session.


srand($userID);return rand();function generateSessionID($userID){}

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (CWE-339).

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-339: Small Seed Space in PRNG

Go to

CWE-340: Generation of Predictable Numbers or Identifiers

Go to

Visit http://cwe.mitre.org/ for more details.