Authentication Mechanism Absence or Evasion - OTP
Need
Ensure that OTPs are validated properly during user registration.
Context
• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for building web applications (version 1.6.0 and above)
Description
1. Non compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def verify_otp(conn, %{'otp' => otp}) do
if String.length(otp) == 6 do
json(conn, %{status: 'success'})
else
end...This code is insecure because it only checks if the length of the OTP is 6, but it doesn't verify if the OTP matches the one generated by the server. This allows an attacker to bypass the OTP verification by entering any six-digit number.
2. Steps
• Implement server-side OTP generation and storage (temporary, expires after a certain time or after it is used).
• Upon user OTP submission, verify it against the OTP stored on the server.
• Consider using OTP validation libraries to handle this more securely and efficiently.
3. Secure code example
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def verify_otp(conn, %{'otp' => otp, 'user_id' => user_id}) do
stored_otp = get_stored_otp_for_user(user_id)
if otp == stored_otp do
json(conn, %{status: 'success'})
json(conn, %{status: 'error'})...This code is secure because it verifies the user's OTP against the one stored on the server, ensuring that only a correct OTP will pass the verification process.