Use of an insecure channel - HTTP
Need
Secure transmission of client information
Context
- Usage of C# 7.0 for modern language features and improvements
- Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core MVC
- Usage of Microsoft.AspNetCore.StaticFiles for serving static files in ASP.NET Core
Description
Non compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The above code is a typical configuration for an ASP.NET Core application. In this case, the application is using HTTP, an insecure channel, to transmit data. There is no use of encryption in this code which means that any data transmitted over this channel can be intercepted and read in plain text.
The ConfigureServices
method is adding MVC to the application's services. The Configure
method is setting up the application's HTTP request pipeline. This pipeline is a series of request delegates, called one after the other.
The UseMvc
method is used to add MVC middleware to the request pipeline. The MapRoute
method is used to define the routes for the application. In this case, the default route is to the Home controller and the Index action.
Since this application is using HTTP, it is vulnerable to man-in-the-middle attacks where an attacker can intercept the data being transmitted. This is particularly dangerous if the data being transmitted includes sensitive information such as usernames, passwords, or credit card information.
Steps
- Enable HTTPS for secure communication
- Configure SSL/TLS certificate for the application
- Redirect HTTP requests to HTTPS
- Update the application's configuration to use HTTPS
- Ensure all sensitive data is transmitted over secure channels
Compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001; // Set your HTTPS port here
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseHttpsRedirection();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
app.UseHttpsRedirection();
}
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The above code fixes the vulnerability by enforcing the use of HTTPS over HTTP. This is done by adding HTTPS redirection in the ConfigureServices
method and applying it in the Configure
method.
In the ConfigureServices
method, AddHttpsRedirection
is added to the services. This middleware ensures that all HTTP requests are redirected to HTTPS. The RedirectStatusCode
is set to Status307TemporaryRedirect
which means that the method and the body of the original request are reused to perform the redirected request. The HttpsPort
is set to 5001
, but this should be replaced with the actual HTTPS port your application is using.
In the Configure
method, UseHttpsRedirection
is added to the application's request processing pipeline. This middleware is used to redirect HTTP requests to HTTPS.
In the production environment, UseHsts
is also added to the pipeline. This middleware adds the Strict-Transport-Security header to HTTP responses. This header tells browsers that the website should only be accessed using HTTPS.
By enforcing the use of HTTPS, the application ensures that all data is transmitted over a secure channel. This prevents the interception of sensitive data that is transmitted over the network.