Token Issuer

Weak Randomness

Session and reset tokens are derived from `Math.random()` and a Unix-second seed, so a few observed tokens leak the PRNG state.

CWE-330CWE-338
Back to hub Reload scenario
Token sequence 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Tokens are derived from non-cryptographic PRNG seeded from `time.Now().Unix()`.
  • Sequential tokens differ only in low-entropy positions.
  • Reset endpoint accepts the predicted next token.
    • 
        

      


      

      

        
Signals

        
        

          
Code

          
rand.Seed(time.Now().Unix())
token := fmt.Sprintf("%x", rand.Int63())

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.