DEV Community

ADEKOLA Abdwahab
ADEKOLA Abdwahab

Posted on

WEB API VULNERABILITY THROUGH OTP

Broken Authentication is a popular part of OWASP TOP 10 list.

Authentication is one of the most important aspects of a platform.

It is the act of confirming that the user that wants to use the platform now through a particular account is actually the user that owns that account - assuming no user would share their login details.

The login details are registered into the system at sign up stage, most the details are password and email address.

Email address is regarded as WHAT YOU HAVE and password is WHAT YOU KNOW. The third factor of authentication is WHO YOU ARE e.g biometric.

When you put down your email address to sign-up, platforms need to confirm if truly you have that email. One way they confirm is by sending you a mail with a token/code which you are to copy and input into the provided place in the platform. If you are not able to do this then it would be considered that you don't have the email address, and your sign-up would not be complete.

Also after signing up it is possible for a user to forget their password, locking them out of their accounts.

Platforms provide means for users to get back their accounts by allowing users to reset their password. This is also achieved by confirming if the user that wants to reset the password actually HAVE (access) to the email box of the corresponding email address on the said account.

Typical content of such email that's sent looks like this

screenshot of OTP email

However going extra mile, hackers can sign-up or reset a password of an account for which they don't have the email address. This is possible especially when the platform is being accessed via web.

How?

Most of the codes that are sent are 4 digits. Okay, let's start from here: how many guess would it take to guess a single digit number? 10 guesses. How many would it take to guess two digits? 100. How many guesses would it take to guess four digits 10000.

Hackers, without having the email address, can just run from 0000 through 9999 and calling the API endpoint for each guess. They'd probably hit luck before reaching 9999. Hence defeating the check of WHAT YOU HAVE.

How many guesses would they have to make if the digits were 6? 1000000. Yeah that's one million guesses.

Hence the more the digits the more secure and impractical it becomes for hackers to guess.

With this the platform would be safer of broken authentication.

In one of my next articles I will write about whether to send a verification link is better than sending OTP/codes. What do you think?

Top comments (0)