# Insecure: using time-seeded random for security tokens import random, time random.seed(int(time.time())) # seed is just the current timestamp! token = hex(random.randint(0, 0xFFFFFF)) # predictable # If an attacker knows roughly when a token was issued, # they can brute force the seed (only ~86400 possible values per day) # Secure alternative: import secrets token = secrets.token_hex(32) # cryptographically secure random # Real vulnerability examples: # - PHP rand() seeded with time() for password reset tokens # - Java Math.random() for session IDs # - Python random.random() for CSRF tokens # - JWT with predictable "jti" (JWT ID) values # Attack tool for PHP mt_rand: # php_mt_seed — brute forces the seed from output values # Vulnerable password reset flow: # 1. Request reset → server generates token with rand() # 2. Attacker requests reset at same second → same seed! # 3. Both tokens are predictable from each other
⚠️ These tokens were generated with time-seeded random (insecure):
2ca1f3 ac65bb f0de29 51bdb4 703f90
Reload the page — they change every second. An attacker who knows the timestamp can reproduce them.