Create Secure Coding - 2FA.md
This commit is contained in:
parent
196c48ca29
commit
a9b82eff85
147
Secure Coding - 2FA.md
Normal file
147
Secure Coding - 2FA.md
Normal file
@ -0,0 +1,147 @@
|
||||
# 2FA Broken logic
|
||||
In this scenario, the two-factor authentication (2FA) system of a web application is vulnerable due to flawed logic. This vulnerability allows the attacker to bypass the 2FA mechanism and gain unauthorized access to other users' accounts. Let's discuss the secure programming approach for this scenario and provide examples of non-compliant (vulnerable) and compliant (safe) code.
|
||||
|
||||
## Secure programming approach for 2FA:
|
||||
**User Session Validation:** Ensure that the 2FA process is connected to the current user session and cannot be manipulated to target another user account.
|
||||
|
||||
**2FA Code Validation:** Implement strong 2FA code validation, ensuring that it matches the user's expected code and is within its validity period.
|
||||
|
||||
**Rate Limiting and Account Lockout:** Implement rate limiting and account lockout mechanisms to prevent brute force attacks.
|
||||
|
||||
**Secure Code Transfer:** Use secure methods (such as SMS, email, or an authentication program) to transfer the 2FA code.
|
||||
|
||||
**Logging and Monitoring:** Log 2FA attempts and monitor for suspicious activity.
|
||||
|
||||
|
||||
## Non-compliant Code (JavaScript):
|
||||
```javascript
|
||||
// JavaScript/Node.js example of non-compliant code
|
||||
app.post('/login2', (req, res) => {
|
||||
const { username, mfaCode } = req.body;
|
||||
// The 'verify' parameter is not tied to the user's session
|
||||
if (isValid2FACode(username, mfaCode)) {
|
||||
// User is logged in without validating the session
|
||||
res.redirect('/account');
|
||||
} else {
|
||||
res.status(401).send('Invalid 2FA code');
|
||||
}
|
||||
});
|
||||
```
|
||||
> In this non-compliant example, the 2FA process can be manipulated by changing the username parameter to target any user account.
|
||||
|
||||
## Compliant Code (JavaScript):
|
||||
```javascript
|
||||
// JavaScript/Node.js example of compliant code
|
||||
app.post('/login2', (req, res) => {
|
||||
const { mfaCode } = req.body;
|
||||
const username = req.session.username; // Use username from the authenticated session
|
||||
if (!username || !isValid2FACode(username, mfaCode)) {
|
||||
res.status(401).send('Invalid 2FA code');
|
||||
return;
|
||||
}
|
||||
// User is logged in only after validating the 2FA code for the correct session
|
||||
res.redirect('/account');
|
||||
});
|
||||
function isValid2FACode(username, code) {
|
||||
// Validate the 2FA code for the user
|
||||
// Check if the code is correct and within its validity period
|
||||
// Return true if valid, false otherwise
|
||||
}
|
||||
```
|
||||
In the example above, the 2FA process is associated with the user's user session, ensuring that the 2FA validation code entered is unique to the user and cannot be manipulated to target another user's account.
|
||||
|
||||
|
||||
|
||||
## Additional security measures:
|
||||
|
||||
* Implement multi-device authentication where the user is notified of login attempts on new devices.
|
||||
* Use time-based one-time passwords (TOTP) that are only valid for a short period.
|
||||
* Providing options for users to review and manage their trusted devices.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user