logo

Database

Insecurely generated token - OTP

Need

Secure generation and transmission of OTP tokens

Context

• Usage of Dart 2.0 for building high-performance, cross-platform applications

• Usage of Shelf for managing and organizing data in a Node.js application

Description

1. Non compliant code

import 'package:shelf/shelf.dart' as shelf;
import 'dart:math';

shelf.Response handleRequest(shelf.Request request) {
  var params = request.url.queryParameters;
  var phoneNumber = params['phoneNumber'];
  var OTP = generateOTP();
  // Send OTP to client...

In the above code, we have a function `handleRequest(shelf.Request request)` that handles incoming requests. Inside this function, we extract the phone number from the request query parameters and generate an OTP (One-Time Password). The OTP is generated using the function `generateOTP()`, which creates a 6 digit random number. This OTP is then sent back to the client in the response. The vulnerability lies in the fact that the OTP is generated on the server-side and sent to the client-side. This means that if an attacker intercepts the request, they can easily access the OTP and continue the application flow without needing access to the actual phone number used. This is a serious security flaw as OTPs are meant to provide a second layer of security by requiring users to have access to a specific device (in this case, a phone). By allowing the OTP to be intercepted, this layer of security is effectively bypassed.

2. Steps

• Move the OTP generation to the server-side. This way, the OTP is not exposed to the client-side where it can be intercepted.

• Ensure the OTP is sent directly to the user's phone number, not returned in the response. This can be done using an SMS gateway service.

• Implement secure communication between the client and the server. Use HTTPS to encrypt the data in transit and prevent it from being intercepted.

• Store the OTP in a secure server-side session, associated with the user's session or phone number. This way, when the user submits the OTP, you can compare it with the stored value.

• Implement a time limit for the OTP. After the limit, the OTP should expire and a new one should be generated for the next request. This prevents an attacker from using an old OTP.

• Consider adding rate limiting to prevent brute force attacks. This could limit the number of OTP requests from a single IP address or phone number.

3. Secure code example

import 'package:shelf/shelf.dart' as shelf;
import 'dart:math';
import 'package:shelf_session/shelf_session.dart';
import 'package:sms_maintained/sms.dart';

// Create a session middleware
var sessionMiddleware = SessionMiddleware(
    sessionKey: 'session',...

The code above fixes the vulnerability by moving the OTP generation to the server-side and sending it directly to the user's phone number using an SMS gateway service. The OTP is generated using the `_generateOTP` function, which generates a random 6-digit number. This OTP is then stored in a server-side session using the `shelf_session` package. The session is associated with the user's request, allowing the OTP to be stored securely and associated with the user's session or phone number. The OTP is then sent to the user's phone number using the `_sendOTP` function. This function uses the `sms_maintained` package to send an SMS to the user's phone number with the OTP. The OTP is not included in the response sent back to the client, preventing it from being intercepted. This code also sets up a session middleware and a session handler using the `shelf` and `shelf_session` packages. This allows the server to handle multiple sessions and store session data securely. Please note that this code does not implement a time limit for the OTP, rate limiting, or HTTPS. These features should be implemented as well to further secure the OTP process.