Insecurely generated token - OTP
Need
Secure generation and transmission of OTP tokens
Context
- Usage of Scala for building scalable and high-performance applications
- Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
- Usage of play.api.libs.json for JSON parsing and manipulation in Play Framework
Description
Non compliant code
import play.api.mvc._
import play.api.libs.json._
class Application extends Controller {
def generateOTP = Action { request =>
val json = request.body.asJson.get
val phoneNumber = (json \\ "phoneNumber").as[String]
val otp = generateClientSideOTP(phoneNumber)
Ok(Json.obj("status" -> "success", "OTP" -> otp))
}
def generateClientSideOTP(phoneNumber: String): String = {
// OTP generation logic here
val otp = phoneNumber.take(4) // This is a simple and insecure OTP generation logic for demonstration purposes
otp
}
}
The above code represents a Scala backend application using the Play framework that generates an OTP client-side and sends it to the server. This approach is insecure because the OTP is generated on the client-side, making it susceptible to interception by an attacker.
The generateOTP function is an action that extracts the phone number from the request body and passes it to the generateClientSideOTP function to generate the OTP. The OTP is then sent back to the client in the response.
The generateClientSideOTP function generates the OTP based on the phone number. In this case, it simply takes the first 4 characters of the phone number as the OTP. This is a very simplistic and insecure method of generating an OTP, and it's used here only for demonstration purposes.
The vulnerability here is that an attacker can intercept the request and gain access to the OTP. Since the OTP is generated on the client-side and sent to the server, the attacker doesn't need access to the phone number used. They only need to intercept the request to access the OTP and continue the application flow.
Steps
- Move the OTP generation logic to the server-side
- Generate a cryptographically secure random OTP
- Use a secure method to transmit the OTP to the client-side
- Implement proper validation and expiration for the OTP
Compliant code
import play.api.mvc._
import play.api.libs.json._
import java.security.SecureRandom
class Application extends Controller {
def generateOTP = Action { request =>
val json = request.body.asJson.get
val phoneNumber = (json \\ "phoneNumber").as[String]
val otp = generateServerSideOTP()
// Send OTP to the client side securely, e.g., via SMS
Ok(Json.obj("status" -> "success"))
}
def generateServerSideOTP(): String = {
val random = new SecureRandom()
val otp = new Array[Byte](4)
random.nextBytes(otp)
otp.map("%02x".format(_)).mkString
}
}
The OTP generation logic has been moved to the server-side. The generateServerSideOTP function generates a cryptographically secure random OTP using the SecureRandom class. The OTP is then converted to a hexadecimal string.
The OTP is no longer sent in the response to the client. Instead, it should be sent to the client-side securely, for example, via SMS. This is not shown in the code as it depends on the specific SMS gateway used.
The client-side should then send the OTP back to the server for validation. The server should implement proper validation and expiration for the OTP. This is not shown in the code as it depends on the specific requirements and infrastructure of the application.