Corgea LogoCorgea Security Hub

CWE-341: Predictable from Observable State

Learn about CWE-341 (Predictable from Observable State), its security impact, exploitation methods, and prevention guidelines.

What is Predictable from Observable State?

• Overview: CWE-341 refers to a vulnerability where a number or object can be easily predicted by an attacker based on observable aspects of the system, such as the time, process ID, or other predictable states.

• Exploitation Methods:

  • Attackers can predict values such as session IDs, tokens, or keys if they are generated using predictable inputs.
  • Common attack patterns include observing system behaviors or outputs to deduce the predictable sequence or state.

• Security Impact:

  • Direct consequences include unauthorized access if session IDs or tokens are predictable.
  • Potential cascading effects involve further exploitation or compromise of system components relying on predictable values.
  • Business impact could include data breaches, loss of customer trust, and financial loss due to unauthorized access.

• Prevention Guidelines:

  • Specific code-level fixes include using cryptographically secure random number generators instead of predictable inputs.
  • Security best practices involve avoiding the use of time-based or easily guessable values for sensitive operations.
  • Recommended tools and frameworks include libraries that provide secure random generation functions, such as those found in cryptographic libraries.

Corgea can automatically detect and fix Predictable from Observable State in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

function generateSessionId() {
    // Vulnerable session ID generation using predictable timestamp
    // An attacker can predict future session IDs by observing the current time
    const timestamp = Date.now().toString();
    const sessionId = require('crypto').createHash('sha256').update(timestamp).digest('hex');
    return sessionId;
}

How to fix Predictable from Observable State?

To address this vulnerability in JavaScript, use cryptographically secure random values instead of predictable values like the current timestamp. In Node.js, the crypto module provides a randomBytes function which can be used to generate secure random values for session IDs. This ensures that session IDs cannot be easily predicted or replicated by attackers.

Fixed Code Example

const crypto = require('crypto');

function generateSessionId() {
    // Secure session ID generation using cryptographically secure random bytes
    const randomBytes = crypto.randomBytes(32);
    const sessionId = crypto.createHash('sha256').update(randomBytes).digest('hex');
    return sessionId;
}

In both examples, the key change is replacing the use of time-based or predictable state-based values with cryptographically secure random values. This mitigates the risk of session IDs being predicted and exploited by attackers. By using crypto.randomBytes, we ensure that each session ID is unique and cannot be easily guessed, providing a more secure solution.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-341: Predictable from Observable State and get remediation guidance

Start for free and no credit card needed.