Skip to main content

Insecurely generated token - OTP


The OTP is generated client-side and sent to the server, so an attacker only needs to intercept the request to access the token and continue the application flow without needing access to the phone number used.


Make requests without having access to the telephone number used or even use a fake telephone number.


Generate OTPs and perform the corresponding validations always on the server side.


Anonymous attacker from the Internet.

Expected Remediation Time

โŒš 60 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

OTP generation is handled on the back end

upperCaseAlphabets: true,
specialChars: false,

const otpGenerator = require('otp-generator');
const { OTP_LENGTH, OTP_CONFIG } = require('../constants/constants');
module.exports.generateOTP = () => {
const OTP = otpGenerator.generate(OTP_LENGTH, OTP_CONFIG);
return OTP;

const nodemailer = require('nodemailer');
const transporter = nodemailer.createTransport(MAIL_SETTINGS);

module.exports.sendMail = async (params) => {
try {
let info = await transporter.sendMail({MailBody,});
return info;
} catch (error) {

Non compliant code

There is code present on the front end that generates the OTP

function generateOTP() {
return OTP;

function userRequestedOtp(user){