Go Insecure Random Key Generation
Description
This detector identifies the use of weak pseudorandom number generators from Go's math/rand package for cryptographic key generation. Using math/rand instead of crypto/rand for generating cryptographic keys creates predictable keys that can be easily broken by attackers, compromising the security of encryption, authentication, or other cryptographic operations.
Detection Strategy
• The Go source code must import both the math/rand package and at least one cryptographic library (crypto/*, x/crypto/*, etc.)
• The code contains function calls to specific insecure random functions from math/rand (like Intn, Int63, Float64, etc.)
• These random function calls are used in contexts where cryptographic keys are being generated, as determined by analyzing function parameters and usage patterns
• The detector flags these locations as vulnerable since math/rand produces predictable pseudorandom numbers unsuitable for cryptographic purposes
Vulnerable code example
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/hmac"
"crypto/sha256"
mrand "math/rand"...✅ Secure code example
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/hmac"
"crypto/rand"
"crypto/sha256"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.