Insecure service configuration - OTP - Python

Insecure service configuration - OTP - Python

Need

Secure service configuration - Disable OTP mock

Context

  • Usage of Python 3 for building and running Python applications
  • Usage of Django for building web applications in Python

Description

Non compliant code

        from django.conf import settings

def otp_service(request):
    # The OTP mock is enabled
    if settings.DEBUG:
        return "123456"
    else:
        # Production code for OTP
        return generate_otp()
        
        

The above Python code represents a Django backend application where OTP (One Time Password) is generated. In this code, the OTP mock is enabled in the debug mode.

In the otp_service function, it checks if the application is in debug mode ( settings.DEBUG is True). If it is, it returns a hardcoded OTP "123456". This is a vulnerability as it can allow unauthorized access to the application.

In a production environment, a real OTP is generated by calling the generate_otp() function. However, if the application accidentally remains in debug mode in a production environment, it will continue to provide the hardcoded OTP, creating a security risk.

This insecure service configuration vulnerability can be exploited by an attacker to bypass the OTP authentication process by using the known OTP "123456".

Steps

  • Remove the condition that checks if the application is in debug mode and returns a static OTP.
  • Ensure that the OTP is always generated dynamically, regardless of the application's state.
  • Never hardcode sensitive information such as OTPs, even for testing purposes.
  • Use mock objects or test doubles for testing the OTP service instead of hardcoding values.
  • Ensure that the testing and production environments are separated and that testing configurations do not affect the production environment.

Compliant code

        from django.conf import settings

def otp_service(request):
    # Always generate OTP dynamically
    return generate_otp()
        
        

The previous code had a vulnerability where it was returning a hardcoded OTP ("123456") when the application was in debug mode. This is a security risk as it exposes a predictable OTP that could be exploited.

The updated code removes this vulnerability by always generating the OTP dynamically, regardless of whether the application is in debug mode or not. The generate_otp() function is assumed to generate a secure, random OTP.

Remember, it's a bad practice to hardcode sensitive information such as OTPs, even for testing purposes. Instead, use mock objects or test doubles for testing the OTP service. Also, ensure that the testing and production environments are separated and that testing configurations do not affect the production environment.

References