Business information leak - Personal Information - TypeScript

Business information leak - Personal Information - TypeScript

Need

Protection of personal information from unauthorized access or leakage

Context

  • Usage of TypeScript for type-checking and compiling JavaScript code
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/user/:id', (req, res) => {
  const userId = req.params.id;
  const userData = {
    id: userId,
    name: 'John Doe',
    email: 'johndoe@example.com',
    phone: '+1234567890',
    address: '123 Main St',
  };

  res.json(userData);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is that it stores real user information, such as real ID numbers, phone numbers, and email addresses, directly in the source code. This means that anyone who has access to the source code can easily obtain this sensitive information.

In the code snippet, there is an Express route defined for the '/user/:id' endpoint. When a GET request is made to this endpoint, the code retrieves the user ID from the request parameters and creates a userData object containing various personal information fields such as name, email, phone, and address. This userData object is then sent back as a JSON response.

The issue here is that the personal information is hardcoded in the source code itself. This makes it easy for an attacker to extract this information by simply inspecting the code or by exploiting any vulnerabilities in the application that may expose the source code.

The impact of this vulnerability is that an attacker can obtain real user information, such as email addresses and phone numbers, which can be used for various malicious purposes, including social engineering attacks.

To mitigate this vulnerability, personal information should not be exposed in the source code. Instead, it should be stored securely in a separate database or other secure storage mechanisms. If it is necessary to use sample data for development or testing purposes, it should not correspond to real user information.

Steps

  • Remove the real user information from the code
  • Replace the real user information with dummy data
  • Ensure that the dummy data does not correspond to real user information
  • Consider using environment variables or a configuration file to store sensitive information

Compliant code

        import express from 'express';

const app = express();

app.get('/user/:id', (req, res) => {
  const userId = req.params.id;
  const userData = {
    id: userId,
    name: 'Jane Smith',
    email: 'janesmith@example.com',
    phone: '+9876543210',
    address: '456 Elm St',
  };

  res.json(userData);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by ensuring that real user information is not stored in the source code. Instead, dummy data is used for demonstration purposes.

The code imports the 'express' module and creates an instance of the express application. It then defines a GET route '/user/:id' which expects a parameter 'id' representing the user's ID.

Inside the route handler, the user ID is extracted from the request parameters using 'req.params.id'. However, instead of using this ID to fetch real user information, a dummy user object is created with fictitious data.

The dummy user object includes properties such as 'id', 'name', 'email', 'phone', and 'address'. These properties are hardcoded with dummy values that do not correspond to real user information. For example, the name is set to 'Jane Smith', email to 'janesmith@example.com', phone to '+9876543210', and address to '456 Elm St'.

Finally, the dummy user object is sent as a JSON response using 'res.json(userData)'.

By using dummy data instead of real user information, the code ensures that personal information is not exposed in the source code, mitigating the risk of a business information leak.

References