Security controls bypass or absence - Session Invalidation - TypeScript

Security controls bypass or absence - Session Invalidation - TypeScript

Need

Implementation of proper security controls for session invalidation

Context

  • Usage of TypeScript for type-checking and static typing in Node.js development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/main', (req, res) => {
  const sessionCode = req.query.sessionCode;
  
  if (sessionCode === 'auto') {
    res.send('Welcome to the main page!');
  } else {
    res.send('Access denied!');
  }
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is a security control bypass or absence related to session invalidation. The code includes a route handler for the "/main" endpoint that checks the value of the "sessionCode" query parameter. If the value of "sessionCode" is equal to "auto", the server responds with "Welcome to the main page!". Otherwise, it responds with "Access denied!".

However, the issue lies in the fact that the code used during the debugging phase was left in the implementation. If a session code containing the word "auto" is used, access to the main page is allowed, regardless of the actual session code.

This vulnerability can be exploited by an attacker who knows about this debugging code. They can bypass the intended session validation mechanism by setting the session code to "auto" and gain unauthorized access to the application's main page.

To mitigate this vulnerability, the debugging code should be removed from the implementation to ensure proper session validation.

Steps

  • Remove the debugging code used during testing from the application
  • Update the logic in the '/main' route to properly validate the session code
  • Implement a secure session management system to handle session invalidation

Compliant code

        import express from 'express';

const app = express();

app.get('/main', (req, res) => {
  const sessionCode = req.query.sessionCode;
  
  if (sessionCode && sessionCode !== 'auto') {
    res.send('Welcome to the main page!');
  } else {
    res.send('Access denied!');
  }
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code is written in TypeScript and uses the Express framework to create a server.

The code defines a route handler for the '/main' endpoint. When a GET request is made to this endpoint, the handler function is executed.

Inside the handler function, the sessionCode is extracted from the query parameters of the request using req.query.sessionCode.

The code then checks if the sessionCode exists and is not equal to 'auto'. If this condition is true, it means that a valid sessionCode is provided, and the server responds with 'Welcome to the main page!'.

If the sessionCode is either not provided or equal to 'auto', the server responds with 'Access denied!'.

By implementing this check, the code prevents the debugging code from being executed and ensures that only valid sessionCodes can access the main page.

References