Typescript Weak Random Secret Generation
Description
Detects the usage of cryptographically weak random number generators in TypeScript code. When weak random number generators are used in security contexts (like generating tokens, keys, or passwords), they can produce predictable values that attackers could exploit.
Detection Strategy
• Identifies calls to insecure random number generation functions in TypeScript code
• Checks for usage of Math.random() instead of secure alternatives like crypto.getRandomValues()
• Focuses on random number generation in security-sensitive contexts like key generation, token creation, or password operations
• Reports issues when weak random number generators are used in code that appears to handle sensitive data or security operations
Vulnerable code example
const expressJwt = require('express-jwt');
const express = require('express');
const router = express.Router();
// VULNERABLE: Using non-cryptographic random value as JWT secret
const jwtAuth = expressJwt({ secret: '' + Math.random() });
router.get('/api', (req, res) => {...✅ Secure code example
const expressJwt = require('express-jwt');
const express = require('express');
const crypto = require('crypto');
const router = express.Router();
// Secure: Using cryptographically secure random value for JWT secret
const jwtSecret = crypto.randomBytes(32).toString('base64');
const jwtAuth = expressJwt({ ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.