Ruby Use Of Insecure Random Function
Description
This detector identifies the use of insecure random number generators in Ruby code when cryptographic libraries (bcrypt, digest) are imported. Using weak random number generators for cryptographic operations can lead to predictable values that compromise security, making systems vulnerable to attacks where randomness is critical for encryption, tokens, or authentication.
Detection Strategy
• Check if bcrypt or digest cryptographic libraries are imported in the Ruby code
• Identify method calls that are insecure random number generation functions (like rand(), Random.rand(), or similar weak generators)
• Verify that the first argument to these insecure random functions comes from an unsafe source or definition
• Report vulnerability when insecure random generators are used in contexts where cryptographic libraries are present, indicating potential cryptographic weakness
Vulnerable code example
require 'bcrypt'
require 'digest'
class AuthService
def create_password_hash
BCrypt::Password.create(rand(400000000).to_s) # Predictable PRNG weakens hash
end
...✅ Secure code example
require 'bcrypt'
require 'digest'
require 'securerandom'
class AuthService
def create_password_hash
BCrypt::Password.create(SecureRandom.hex(16)) # Cryptographically secure random input
end...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.