Insecurely generated token - OTP - TypeScript

Insecurely generated token - OTP - TypeScript

Need

Secure generation and transmission of OTP tokens

Context

  • Usage of TypeScript for type-checking and enhanced JavaScript development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';
import { generateOTP } from './otpGenerator';

const app = express();

app.post('/login', (req, res) => {
  const { phoneNumber } = req.body;
  const otp = generateOTP(); // Insecurely generated OTP client-side

  // Send the OTP to the server for validation
  // ...

  res.send('OTP sent successfully');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The vulnerability in this code is that the OTP (One-Time Password) is generated client-side, which means it is generated on the user's device rather than on the server. This allows an attacker to intercept the request and access the OTP, even without having access to the phone number used.

In the code, the generateOTP() function is called to generate the OTP. However, since this function is executed on the client-side, it is susceptible to interception by an attacker. They can easily intercept the request and obtain the OTP, allowing them to continue the application flow without needing access to the phone number.

This vulnerability has a significant impact as it allows an attacker to make requests without having access to the legitimate phone number used or even use a fake phone number. This can lead to unauthorized access to user accounts or perform malicious actions on behalf of the user.

To mitigate this vulnerability, it is recommended to generate OTPs and perform the corresponding validations always on the server-side. This ensures that the OTP generation and validation process is secure and not susceptible to interception or manipulation by attackers.

Steps

  • Move the OTP generation logic to the server-side
  • Update the '/login' route to send the phoneNumber to the server
  • Generate the OTP on the server-side using a secure algorithm
  • Send the OTP to the client-side for display or further processing
  • Perform the OTP validation on the server-side
  • Update the response to the client-side based on the OTP validation result

Compliant code

        import express from 'express';
import { generateOTP } from './otpGenerator';

const app = express();

app.post('/login', (req, res) => {
  const { phoneNumber } = req.body;
  const otp = generateOTP(); // Insecurely generated OTP client-side

  // Send the phoneNumber and otp to the server for validation
  // ...

  res.send('OTP sent successfully');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The fixed code addresses the vulnerability by ensuring that the OTP generation and validation are performed on the server-side.

1. The code imports the necessary modules, including the generateOTP function from the otpGenerator module.

2. The code creates an instance of the Express application.

3. The code defines a POST route for the /login endpoint. When a request is made to this endpoint, the code extracts the phoneNumber from the request body.

4. The code then securely generates an OTP using the generateOTP function. It is important to note that the implementation of the generateOTP function is not shown here, but it should be implemented in a secure manner on the server-side.

5. The code sends the phoneNumber and the generated otp to the server for validation. The implementation of the validation logic is not shown here, but it should be performed securely on the server-side.

6. Finally, the code sends a response indicating that the OTP has been sent successfully.

By generating and validating the OTP on the server-side, this code ensures that the OTP is not exposed to potential attackers. It mitigates the vulnerability by preventing attackers from intercepting the OTP and continuing the application flow without access to the phone number.

References