Skip to main content

Insecurely generated token - OTP

Description

The OTP is generated client-side and sent to the server, so an attacker only needs to intercept the request to access the token and continue the application flow without needing access to the phone number used.

Impact

Make requests without having access to the telephone number used or even use a fake telephone number.

Recommendation

Generate OTPs and perform the corresponding validations always on the server side.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

โŒš 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

OTP generation is handled on the back end

OTP_CONFIG: {
upperCaseAlphabets: true,
specialChars: false,
};

const otpGenerator = require('otp-generator');
const { OTP_LENGTH, OTP_CONFIG } = require('../constants/constants');
module.exports.generateOTP = () => {
const OTP = otpGenerator.generate(OTP_LENGTH, OTP_CONFIG);
return OTP;
};

const nodemailer = require('nodemailer');
const transporter = nodemailer.createTransport(MAIL_SETTINGS);

module.exports.sendMail = async (params) => {
try {
let info = await transporter.sendMail({MailBody,});
return info;
} catch (error) {
...
}
};

Non compliant code

There is code present on the front end that generates the OTP

function generateOTP() {
return OTP;
}

function userRequestedOtp(user){
sendCode(generateOTP, user.email);
}

Requirements