logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Weak credential policy - Temporary passwords - Typescript

Need

Strengthening temporary password security policies

Context

  1. Usage of TypeScript for type-checking and enhanced JavaScript development
  2. Usage of Express for building web applications and APIs

Description

Insecure Code Example

import express from 'express';

const app = express();

app.post('/login', (req, res) => {
  const { username, password } = req.body;

  // Generate temporary password
  const temporaryPassword = generateTemporaryPassword();

  // Store temporary password in the database
  saveTemporaryPassword(username, temporaryPassword);

  // Send temporary password to the user
  sendTemporaryPassword(username, temporaryPassword);

  res.send('Temporary password has been sent to your email.');
});

function generateTemporaryPassword() {
  // Generate a weak temporary password
  return 'weak123';
}

function saveTemporaryPassword(username: string, temporaryPassword: string) {
  // Save the temporary password in the database
  // This code does not implement any security measures for storing passwords
}

function sendTemporaryPassword(username: string, temporaryPassword: string) {
  // Send the temporary password to the user's email
  // This code does not implement any secure email sending mechanism
}

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code is related to weak credential policy for temporary passwords. The code generates a temporary password using the `generateTemporaryPassword` function, which currently returns a weak password "weak123". This weak password does not meet the recommended best practices for strong passwords, such as having a combination of uppercase and lowercase letters, numbers, and special characters. Furthermore, the code does not implement any security measures for storing the temporary password in the database. The `saveTemporaryPassword` function does not hash or encrypt the password before saving it, leaving it vulnerable to unauthorized access if the database is compromised. Additionally, the code does not implement any secure email sending mechanism in the `sendTemporaryPassword` function. This means that the temporary password could be intercepted or accessed by unauthorized individuals during the email transmission process. These vulnerabilities can allow an attacker to compromise the temporary passwords and gain unauthorized access to the application, potentially leading to unauthorized actions or data breaches.

Steps

  1. Implement a strong password generation function for generating temporary passwords.
  2. Implement secure password storage mechanism to store temporary passwords in the database.
  3. Implement a secure email sending mechanism to send temporary passwords to users.

Secure Code Example

import express from 'express';
import bcrypt from 'bcrypt';
import nodemailer from 'nodemailer';

const app = express();

app.use(express.json());

app.post('/login', async (req, res) => {
  const { username, password } = req.body;

  // Generate temporary password
  const temporaryPassword = generateTemporaryPassword();

  // Store temporary password in the database
  await saveTemporaryPassword(username, temporaryPassword);

  // Send temporary password to the user
  await sendTemporaryPassword(username, temporaryPassword);

  res.send('Temporary password has been sent to your email.');
});

function generateTemporaryPassword() {
  const temporaryPasswordLength = 10;
  const temporaryPassword = Math.random().toString(36).slice(-temporaryPasswordLength);
  return temporaryPassword;
}

async function saveTemporaryPassword(username: string, temporaryPassword: string) {
  const saltRounds = 10;
  const hashedPassword = await bcrypt.hash(temporaryPassword, saltRounds);
  // Save the hashed temporary password in the database
  // Implement your code here to store the hashed password
}

async function sendTemporaryPassword(username: string, temporaryPassword: string) {
  const transporter = nodemailer.createTransport({
    service: 'your-email-service',
    auth: {
      user: 'your-email-username',
      pass: 'your-email-password',
    },
  });

  const mailOptions = {
    from: 'your-email-username',
    to: username,
    subject: 'Temporary Password',
    text: `Your temporary password is: ${temporaryPassword}`,
  };

  // Send the email with the temporary password
  // Implement your code here to send the email
}

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by implementing secure temporary passwords using recommended best practices. Here's an explanation of the changes made: 1. The code imports the necessary modules: `express` for creating the server, `bcrypt` for hashing passwords securely, and `nodemailer` for sending emails. 2. The `/login` route is defined as a POST request handler. It expects the `username` and `password` to be provided in the request body. 3. The `generateTemporaryPassword` function generates a temporary password of length 10 using a random alphanumeric string. 4. The `saveTemporaryPassword` function takes the `username` and `temporaryPassword` as parameters. It uses the `bcrypt` library to hash the temporary password with a salt of 10 rounds before storing it in the database. The use of bcrypt ensures that the password is securely hashed and not easily reversible. 5. The `sendTemporaryPassword` function takes the `username` and `temporaryPassword` as parameters. It uses the `nodemailer` library to create a transporter object with the email service credentials. It then defines the email options, including the sender, recipient, subject, and body of the email. The temporary password is included in the email body. 6. The `/login` route handler calls the `generateTemporaryPassword` function to generate a temporary password. It then calls the `saveTemporaryPassword` function to securely hash and store the temporary password in the database. Finally, it calls the `sendTemporaryPassword` function to send the temporary password to the user's email. 7. The server listens on port 3000 and logs a message when it starts running. By implementing these changes, the code ensures that temporary passwords are securely generated, hashed, and stored in the database. Additionally, the temporary password is sent to the user's email using a secure email service.

References

  • 364 - Weak credential policy - Temporary passwords

    • Last updated

    2023/09/18