1. Home
  2. CWE Database
  3. CWE-340
Class · High

CWE-340: Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

CWE-340 · Class Level ·3 CVEs

Description

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Potential Impact

Other

Varies by Context

Demonstrative Examples

This code generates a unique random identifier for a user's session.
Bad
function generateSessionID($userID){srand($userID);return rand();}
Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.
This example also exhibits a Small Seed Space (CWE-339).

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-29330Product for administering PBX systems uses predictable identifiers and timestamps for filenames (CWE-340) which allows attackers to access files via direct request (CWE-425).
CVE-2001-1141PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
CVE-1999-0074Listening TCP ports are sequentially allocated, allowing spoofing attacks.

CWE-330: Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-384: Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifie...

Taxonomy Mappings

  • PLOVER: — Predictability problems
  • WASC: 11 — Brute Force

Frequently Asked Questions

What is CWE-340?

CWE-340 (Generation of Predictable Numbers or Identifiers) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product uses a scheme that generates numbers or identifiers that are more predictable than required.

How can CWE-340 be exploited?

Attackers can exploit CWE-340 (Generation of Predictable Numbers or Identifiers) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-340?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-340?

CWE-340 is classified as a Class-level weakness (High abstraction). It has been observed in 3 real-world CVEs.