Sensitive information in source code - Credentials - TypeScript

Sensitive information in source code - Credentials - TypeScript

Need

Protection of sensitive information in source code

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/login', (req, res) => {
  const username = 'admin';
  const password = 'password123';
  
  // Authenticate user
  if (req.query.username === username && req.query.password === password) {
    res.send('Login successful');
  } else {
    res.send('Invalid credentials');
  }
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is that it stores sensitive information, specifically the username and password, directly in the source code. This means that anyone with access to the codebase can easily obtain these credentials.

In the code, the username is set to 'admin' and the password is set to 'password123'. These values are used to authenticate the user in the '/login' route. However, hardcoding sensitive information like this is highly discouraged as it exposes the credentials to potential attackers.

If an attacker gains access to the source code, they can easily retrieve the username and password, allowing them to impersonate the admin user and potentially gain unauthorized access to the system or sensitive data.

To mitigate this vulnerability, it is recommended to remove the hardcoded sensitive information from the code. Instead, sensitive data should be stored in secure sources such as a key vault, encrypted configuration files, or environment variables. This ensures that the credentials are not exposed in the source code and are kept secure.

Steps

  • Remove the hardcoded sensitive information (username and password) from the code
  • Store the sensitive information in a secure location such as a key vault, encrypted configuration file, or environment variables
  • Update the code to retrieve the sensitive information from the secure location
  • Ensure that the sensitive information is not logged or exposed in any way
  • Change the login credentials that were compromised
  • Test the updated code to ensure it functions correctly and securely

Compliant code

        import express from 'express';

const app = express();

app.get('/login', (req, res) => {
  // Retrieve sensitive information from secure location
  const username = process.env.USERNAME;
  const password = process.env.PASSWORD;
  
  // Authenticate user
  if (req.query.username === username && req.query.password === password) {
    res.send('Login successful');
  } else {
    res.send('Invalid credentials');
  }
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by removing the hardcoded sensitive information and implementing secure practices for storing and retrieving credentials.

Instead of storing the sensitive information directly in the code, the code now retrieves the credentials from secure sources such as environment variables. This is achieved by using the process.env object to access the values of USERNAME and PASSWORD environment variables.

The code then uses these retrieved credentials to authenticate the user. It compares the values of the username and password query parameters with the retrieved credentials. If the credentials match, it sends a response indicating a successful login. Otherwise, it sends a response indicating invalid credentials.

By retrieving the sensitive information from secure sources and not hardcoding them in the code, the fixed code ensures that the credentials are not exposed in the source code or in the version control system. This significantly reduces the risk of sensitive information being compromised.

Additionally, the code uses the Express framework to create a server and listens on port 3000 for incoming requests. When the server starts, it logs a message indicating that it is running on port 3000.

Overall, the fixed code follows best practices for handling sensitive information and reduces the risk of unauthorized access to the credentials.

References