Insecure Randomness
Written by Eldar Zavida on
Insecure Randomness
Written by Eldar Zavida on
Introduction
In the digital world, web security is a powerful shield protecting sensitive data and online activities. At the heart of this defense lies the concept of randomness: the absence of any pattern or predictability in a sequence of events or data. Achieving true randomness relies on various sources, such as hardware-based random number generators (RNGs) or algorit
hms that simulate randomness through complex mathematical calculations. These methods aim to generate unpredictable values crucial for cryptographic operations like encryption keys or session tokens. However, if this randomness isn’t strong enough, it can compromise the security of sensitive information and expose vulnerabilities in web applications.
This article explains why strong randomness matters in web security and the dangers of using predictable or weak methods. By following best practices, developers can better protect web applications and users from cyber threats.
Real World Scenario
To generate unpredictable data, real-world events can serve as randomness sources. For example, Cloudflare uses its LavaRand system, which captures images of 100 lava lamps in its lobby. Since lava patterns constantly change, they provide excellent entropy for secure random number generation.
A camera regularly captures images of the lava lamps and sends them to Cloudflare’s servers. Each image, stored as pixel-based numerical data, becomes a string of random numbers. These are fed into a CSPRNG, creating a stream of random values that strengthen TLS encryption for customers.
How it Works
Session tokens are vital web security components, fulfilling diverse roles such as session management, authentication, and access control. They act as unique identifiers or keys, enabling users to validate their identity or authorization to access specific resources. The algorithm responsible for generating these tokens is the PRNG (Pseudorandom Number Generator), which produces a sequence of seemingly random numbers determined by an initial value known as a seed. Today, two types of generators are in use: standard and cryptographic. Developers typically create tokens in standard PRNGs, which are more predictable and can be compromised. Such implementation can significantly impact the overall security of web applications, exposing them to various attacks, including account takeover resulting from the prediction of session tokens.
How to Test for Randomness Issues
Penetration testers must check the randomness of system-generated tokens. The Burp Suite Sequencer tool helps by analyzing a sample of tokens and running tests to evaluate their randomness quality.
Use Case
The consequences of a vulnerability resulting from insecure randomness vary based on the specific context in which the randomness is applied.
For example, where randomness is used to create secure session tokens, the potential impact can be significant. A breach could allow malicious actors to guess other users’ session tokens, ultimately gaining unauthorized access to sensitive information or executing restricted operations on their behalf.
In the demonstration below, an administrative user logs in successfully to a certain web application, and a session token is generated and stored as a cookie.
Because the session token lacks randomness and is easy to guess, an attacker can log in multiple times with their own credentials, compare the generated tokens, and identify the system’s randomness configuration:
Since the differences between the generated tokens are very noticeable, the attacker can now replace its session token with another token by changing the incremented number (“5967”) in its value to an arbitrary number and, consequently, gain unauthorized access to administrative pages and high-privileged functionalities:
Behind the Scenes
To understand how this vulnerability works, consider the following code. Each user has an assigned ID. After a successful login, the server checks the database to find the user’s ID, then uses it to generate a session token by combining a prefix, the user ID, and a suffix.
This can pose a major security issue because it exposes sensitive user data, particularly user IDs directly inserted into the session token generation process. Attackers could potentially exploit this vulnerability in various ways. For instance, they could employ a technique like session fixation, where they manipulate the session ID before authentication to gain unauthorized access or hijack another user’s session. Therefore, such direct inclusion of user IDs in session token generation poses a significant risk to the system’s overall security.
Mitigation
To prevent randomness issues, follow the instructions below provided by Clear Gate for immediate mitigation that can prevent future attacks further:
- Cryptographically Secure Random Number Generators (CSPRNGs) – CSPRNGs are essential for ensuring the unpredictability and cryptographic strength of random values, such as cryptographic keys and nonces, making them integral to randomness management in cybersecurity.
- Increase Complexity of Random Values – Strengthening the complexity or size of random values used in cryptographic operations significantly enhances security by making it more difficult for attackers to predict or guess these values.
- Randomness Testing – Regular randomness testing ensures the quality and reliability of random number generation mechanisms.
- Diversify Randomness Sources – Diversifying randomness sources increases the unpredictability and entropy of generated random values.
Conclusion
In conclusion, effective management of randomness is essential for cybersecurity. By implementing robust strategies such as secure random number generators and diversifying randomness sources, organizations can enhance their security posture and better protect against threats.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in session randomization deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their applications’ security and protect valuable data from potential threats.