Use of an insecure channel - TypeScript

Use of an insecure channel - TypeScript

Need

Secure transmission of sensitive information

Context

  • Requirement of Node.js v14.0.0 or later for running the application
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();
const port = 3000;

app.get('/login', (req, res) => {
  const username = req.query.username;
  const password = req.query.password;

  // Perform login logic here

  res.send('Login successful');
});

app.listen(port, () => {
  console.log(`Server running on port ${port}`);
});
        
        

The vulnerability in this code is the use of an insecure channel for transmitting sensitive information. In this case, the code is using the HTTP protocol, which does not provide encryption for the data being transmitted.

When a user accesses the '/login' endpoint, the code retrieves the username and password from the query parameters of the request. However, since the communication is not encrypted, this sensitive information is transmitted in plain text.

This vulnerability can be exploited by an attacker who has access to the network traffic. They can intercept the request and easily capture the confidential information and credentials, potentially leading to unauthorized access to user accounts or other security breaches.

To mitigate this vulnerability, it is recommended to deploy the application over an encrypted communication channel, such as HTTPS with TLS. This would ensure that the data transmitted between the client and the server is encrypted, making it much more difficult for an attacker to intercept and decipher the sensitive information.

Steps

  • Install the 'https' module by running 'npm install https'
  • Import the 'https' module in the code
  • Generate an SSL certificate for your domain
  • Create an HTTPS server using the 'https' module
  • Update the server listen function to use the HTTPS server instead of the HTTP server
  • Replace 'app.listen' with 'httpsServer.listen' to start the server over an encrypted channel

Compliant code

        import express from 'express';
import https from 'https';
import fs from 'fs';

const app = express();
const port = 3000;

const options = {
  key: fs.readFileSync('path/to/private.key'),
  cert: fs.readFileSync('path/to/certificate.crt')
};

const server = https.createServer(options, app);

app.get('/login', (req, res) => {
  const username = req.query.username;
  const password = req.query.password;

  // Perform login logic here

  res.send('Login successful');
});

server.listen(port, () => {
  console.log(`Server running on port ${port}`);
});
        
        

The fixed code addresses the vulnerability by implementing secure communication using HTTPS with TLS encryption.

First, the code imports the necessary modules: express for creating the server, https for creating an HTTPS server, and fs for reading the private key and certificate files.

Next, the code creates an instance of the express application and sets the desired port number (in this case, 3000).

The code defines an options object that contains the private key and certificate for enabling HTTPS. The private key and certificate are read from the corresponding files using the fs.readFileSync method.

Then, the code creates an HTTPS server using the https.createServer method, passing in the options object and the express application.

The code sets up a route for the /login endpoint using the app.get method. Inside the route handler, it retrieves the username and password from the request query parameters.

After that, the code can perform the necessary login logic securely, as the communication is encrypted.

Finally, the server listens on the specified port using the server.listen method, and a console log message is printed to indicate that the server is running.

By using HTTPS with TLS encryption, the fixed code ensures that sensitive information, such as usernames and passwords, is transmitted securely over an encrypted channel, mitigating the risk of interception and unauthorized access.

References