Enabled default configuration - TypeScript

Enabled default configuration - TypeScript

Need

Disable default configurations to prevent unauthorized access and information disclosure

Context

  • Usage of TypeScript for type-checking and compiling JavaScript code
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.send('Welcome to the default page!');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The vulnerability in this code is the presence of a default page that is enabled by the server. The code sets up an Express server and defines a route for the root URL ("/") that sends a response with the message "Welcome to the default page!".

This default page can be accessed by anyone who knows the server's IP address or domain name. By accessing this page, an attacker can obtain relevant technical information about the server, such as the server version, software stack, and potentially other sensitive information.

This information can be used by the attacker to gather intelligence about the server and potentially exploit any known vulnerabilities or weaknesses in the server's configuration or software.

To mitigate this vulnerability, the default page should be disabled or modified in such a way that no sensitive information is exposed.

Steps

  • Remove the default route handler for the root path ('/')
  • Replace it with a custom route handler that returns a generic response
  • For example, you can return a 404 Not Found status code with a custom message
  • Make sure to remove any sensitive information or technical details from the response

Compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.status(404).send('Page not found');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The fixed code is written in TypeScript and uses the Express framework to create a server. It addresses the vulnerability by disabling the server's default page and preventing any information from being obtained from it.

In the code, we import the express module and create an instance of the Express application using express().

We then define a route for the root URL ("/") using the app.get() method. This route handler sends a 404 status code and the message "Page not found" as the response. This ensures that any request to the root URL will always receive a "Page not found" response, effectively disabling the default page.

Finally, we start the server by calling the app.listen() method and specifying the port number (3000 in this case). This will start the server and log a message to the console indicating that the server has started on the specified port.

By disabling the default page and returning a generic "Page not found" response, we prevent any potential attacker from obtaining any relevant technical information about the server.

References