Technical information leak - Headers - TypeScript

Technical information leak - Headers - TypeScript

Need

Prevention of technical information leakage through server response headers

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.setHeader('Server', 'Express/2.0.0'); // Vulnerable header containing server version
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});
        
        

The vulnerability in this code lies in the use of the res.setHeader() method to set the "Server" header in the HTTP response. The code explicitly sets the "Server" header to a specific value, which in this case is "Express/2.0.0".

This can be a security risk because it exposes the specific version of the server software being used (Express version 2.0.0) to potential attackers. Attackers can use this information to identify vulnerabilities or weaknesses in that specific version and craft attacks specifically targeting it.

The impact of this vulnerability is that it allows an attacker to obtain technical information about the server, which can be used to craft new attack vectors. By knowing the specific server version, an attacker can search for known vulnerabilities or exploit techniques that are specific to that version.

The recommended solution is to verify that the HTTP response headers do not contain any sensitive information such as server names or version numbers. In this case, the "Server" header should not be set to a specific value, or it should be set to a generic value that does not reveal any specific information about the server software being used.

Steps

  • Remove the vulnerable header containing the server version
  • Update the code to remove the 'res.setHeader' line

Compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});
        
        

The fixed code is written in TypeScript and uses the Express framework to create a server. It addresses the vulnerability by ensuring that the HTTP response headers do not contain any sensitive information such as technology names or component versions.

Here's a breakdown of the code:

1. Importing the necessary modules:
- express: This module is used to create the server and handle HTTP requests.

2. Creating an instance of the Express application:
- const app = express();: This line creates a new instance of the Express application.

3. Defining a route handler for the root path ("/"):
- app.get('/', (req, res) => { ... });: This code sets up a route handler for the GET request on the root path ("/"). The arrow function (req, res) => { ... } is the callback function that will be executed when a request is made to this route.

4. Sending a response:
- res.send('Hello World!');: This line sends the response "Hello World!" back to the client.

5. Starting the server:
- app.listen(3000, () => { ... });: This code starts the server and listens on port 3000. The arrow function ( ) => { ... } is a callback function that will be executed once the server starts successfully.

6. Logging a message when the server starts:
- console.log('Server running on port 3000');: This line logs a message to the console indicating that the server is running on port 3000.

By not including any sensitive information in the response headers, this code ensures that technical information cannot be leaked to potential attackers, mitigating the risk of crafting new attack vectors.

References