Need

Secure transmission of customer information

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in a Node.js application
• Usage of shelf_io for managing and interacting with data storage in Node.js

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

The above code represents a simple backend server using the Shelf framework in Dart. The server is set up to listen on localhost at port 8080 and responds to all incoming requests with a simple message containing the requested URL.

The vulnerability in this code lies in the fact that it uses an insecure HTTP channel to communicate, which does not provide any form of encryption for the transmitted data. This means that any sensitive information, such as customer data, that is transmitted over this channel can be intercepted and read by malicious third parties.

In the context of this code, the vulnerability is specifically in the io.serve(handler, 'localhost', 8080); line. This line sets up the server to listen for incoming connections, but it does not specify any form of encryption to be used, thus creating an insecure channel.

To exploit this vulnerability, an attacker would simply need to intercept the communication between the server and a client. Since the data is not encrypted, they would be able to read and potentially misuse any information they capture.

Steps

• Import the 'shelf' and 'shelf_io' packages from the 'shelf' library.
• Replace the 'serve' function with the 'serveSecure' function to enable secure communication.
• Provide the necessary parameters for the 'serveSecure' function, including the server certificate and private key.
• Ensure that the server certificate and private key are stored securely and are not accessible to unauthorized users.
• Test the application to ensure that customer information is now transmitted over a secure channel.

Compliant code

        import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  var serverCertificate = new SecurityContext()
    ..useCertificateChain('path/to/certificate.pem')
    ..usePrivateKey('path/to/private_key.pem', password: 'password');

  io.serveSecure(handler, 'localhost', 8080, serverCertificate);
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

The updated code now uses the serveSecure function from the shelf_io package instead of the serve function. This function enables secure communication over the network by using SSL/TLS encryption.

A SecurityContext object is created, which is used to specify the server certificate and private key. The useCertificateChain method is used to specify the path to the server certificate, and the usePrivateKey method is used to specify the path to the private key. The password for the private key is also provided.

The serveSecure function is then called with the handler, the hostname, the port, and the SecurityContext object as parameters. This ensures that all communication over the network is encrypted and secure.

Please note that the paths to the server certificate and private key, as well as the password for the private key, should be stored securely and not be accessible to unauthorized users.

After implementing these changes, test the application to ensure that customer information is now transmitted over a secure channel.

References

• 332. Use of insecure channel - Source code