Insecurely generated token - OTP
Need
Secure generation and transmission of OTP tokens
Context
• Usage of C# for building robust and scalable applications
• Usage of Microsoft.AspNetCore.Mvc for building web applications with the ASP.NET Core MVC framework
• Usage of System.Threading.Tasks for asynchronous programming in .NET
Description
1. Non compliant code
public class AccountController : Controller
{
    [HttpPost]
    public async Task<IActionResult> SendOTP(string phoneNumber)
    {
        // Insecure OTP generation
        var otp = new Random().Next(100000, 999999).ToString();
        // Send OTP to client...The above code snippet represents a typical OTP (One Time Password) generation and verification flow in an ASP.NET Core application. However, it has two major security vulnerabilities: 1. **Insecure OTP Generation**: The OTP is generated on the server side and sent to the client as part of the HTTP response. This is insecure because anyone who can intercept the HTTP response (for example, through a man-in-the-middle attack) can gain access to the OTP. 2. **Insecure OTP Verification**: The OTP verification is done by simply checking if the OTP sent by the client matches a hard-coded value ("123456"). This is insecure because anyone who knows this hard-coded value can bypass the OTP verification process. These vulnerabilities can lead to unauthorized access to the application. To fix these issues, the OTP should be generated and verified on the server side, and should not be sent to the client. Additionally, the OTP verification process should not rely on a hard-coded value.
2. Steps
• Generate the OTP server-side instead of client-side
• Use a secure random number generator to generate the OTP
• Implement a secure method to send the OTP to the client
• Implement a secure method to verify the OTP on the server-side
• Consider using a time-based OTP (TOTP) instead of a static OTP
• Implement rate limiting to prevent brute force attacks on the OTP verification endpoint
3. Secure code example
public class AccountController : Controller
{
    private readonly Dictionary<string, string> otpStore = new Dictionary<string, string>();
    private readonly RandomNumberGenerator rng = RandomNumberGenerator.Create();
    [HttpPost]
    public async Task<IActionResult> SendOTP(string phoneNumber)
        // Secure OTP generation...The OTP is now generated server-side using a secure random number generator. This OTP is then stored in a dictionary along with the associated phone number. When the client sends the OTP for verification, the server checks the OTP against the stored value. The `GenerateOTP` method uses the `RandomNumberGenerator` class to generate a secure random number, which is then converted to a string and truncated to 6 digits. The `SendOTPSecurely` method is a placeholder for a secure method of sending the OTP to the client. This could be an SMS service, for example. The `VerifyOTP` method checks the OTP against the stored value. If the OTP matches, access is granted. If not, access is denied. This code also implements rate limiting to prevent brute force attacks on the OTP verification endpoint. This is done by limiting the number of OTP verification attempts that can be made from a single IP address in a given time period.
References
• 383. Insecurely generated token - OTP