Need

Prevention of unauthorized disclosure of technical information

Context

• Usage of TypeScript for type checking and static typing in Node.js development
• Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.send('Welcome to the vulnerable application!');
});

app.get('/version', (req, res) => {
  // Exposing system component versions
  res.send(`Server Version: ${process.version}`);
});

app.get('/config', (req, res) => {
  // Exposing specific configuration information
  res.send(`PHP Configuration: ${readPHPConfig()}`);
});

function readPHPConfig() {
  // Read and return PHP configuration
  return 'php.ini content';
}

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The vulnerability in the given code is a technical information leak. This vulnerability allows an attacker to gather sensitive technical information about the server, such as system component versions and specific configuration details.

In the code, there are two routes defined: /version and /config.

The /version route exposes the server version by sending the process.version information in the response. This can be used by an attacker to identify the version of the server and potentially exploit known vulnerabilities specific to that version.

The /config route exposes specific configuration information by calling the readPHPConfig() function and sending the content of the PHP configuration file ( php.ini) in the response. This can provide valuable information to an attacker about the server's configuration, which can be used to craft targeted attacks.

Both of these routes should be considered as potential security risks as they expose sensitive technical information that can be leveraged by attackers to identify vulnerabilities and launch further attacks.

To mitigate this vulnerability, the code should be modified to remove the routes that expose technical information.

Steps

• Remove the '/version' route that exposes the server version information.
• Remove the '/config' route that exposes the PHP configuration information.
• If the PHP configuration information is required for the application, consider storing it securely and only providing access to authorized users.
• Ensure that sensitive information such as system component versions and specific configuration details are not exposed in any other routes or responses.
• Regularly review and update the code to ensure that no new routes or responses are inadvertently exposing technical information.

Compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.send('Welcome to the secure application!');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The fixed code is written in TypeScript and uses the Express framework to create a secure application.

First, the code imports the Express module using the import statement.

Then, it creates an instance of the Express application by calling the express() function and assigns it to the app constant.

Next, the code defines a route for the root URL ("/") using the app.get() method. When a GET request is made to the root URL, the callback function is executed. Inside the callback function, the code sends a response with the message "Welcome to the secure application!" using the res.send() method.

After that, the code calls the app.listen() method to start the server and listen on port 3000. When the server starts successfully, it logs a message to the console saying "Server started on port 3000".

This fixed code does not expose any technical information or sensitive server configurations. It simply responds with a welcome message when a request is made to the root URL.

References

• 362. Technical information leak - Content response