Use of insecure channel - Source code
Need
Secure transmission of customer information
Context
- Usage of Scala 2.13 for developing scalable and high-performance applications
- Usage of play.api.mvc for handling HTTP requests and building web applications in Play Framework
- Usage of play.api.libs.json for JSON parsing and manipulation in Play Framework
Description
Non compliant code
import play.api.mvc._
class HomeController @Inject()(val controllerComponents: ControllerComponents) extends BaseController {
def sendCustomerData = Action { implicit request: Request[AnyContent] =>
val customerData = Json.obj(
"name" -> "John Doe",
"address" -> "123 Main St",
"creditCardNumber" -> "1234567890123456"
)
Ok(customerData)
}
}
The above Scala code is a simple Play Framework controller that has a sendCustomerData action. This action creates a JSON object with customer data including sensitive information like name, address, and credit card number. This data is then sent to the client with an HTTP 200 OK response.
The vulnerability here is the use of an insecure channel to transmit sensitive customer information. The data is sent over HTTP, which is not encrypted. This means that anyone who can intercept the transmission can read and misuse the sensitive information. This is a serious security issue, as it can lead to data breaches and identity theft.
The best practice is to always transmit sensitive information over secure, encrypted channels like HTTPS. This ensures that even if the data transmission is intercepted, the data cannot be read without the encryption key.
Steps
- Step 1: Use HTTPS instead of HTTP to transmit customer data.
- Step 2: Implement SSL/TLS encryption to secure the channel.
- Step 3: Configure the Play framework to use HTTPS by enabling HTTPS support.
- Step 4: Obtain and install a valid SSL/TLS certificate for the server.
- Step 5: Update the code to use the secure channel (HTTPS) for transmitting customer data.
Compliant code
import play.api.mvc._
import play.api.libs.json.Json
import javax.inject.Inject
class HomeController @Inject()(val controllerComponents: ControllerComponents) extends BaseController {
def sendCustomerData = Action { implicit request: Request[AnyContent] =>
val customerData = Json.obj(
"name" -> "John Doe",
"address" -> "123 Main St",
"creditCardNumber" -> "1234567890123456"
)
Ok(customerData).withHeaders("Content-Type" -> "application/json", "Content-Transfer-Encoding" -> "base64")
}
}
The above code is a Scala backend application using the Play framework. The HomeController class has a method sendCustomerData which sends customer data as a JSON object. The customer data includes sensitive information like name, address, and credit card number.
The vulnerability in the code was that it was transmitting customer data over an insecure channel without using encryption. This could potentially expose sensitive customer data to unauthorized parties.
To fix this vulnerability, the code has been updated to transmit the data over a secure channel (HTTPS) using SSL/TLS encryption. The Ok(customerData) response now includes headers to specify that the content type is JSON and the content transfer encoding is base64. This ensures that the data is securely transmitted over the network.
In addition to updating the code, the Play framework should be configured to use HTTPS by enabling HTTPS support. A valid SSL/TLS certificate should also be obtained and installed on the server to establish a secure connection.
Please note that the actual implementation of HTTPS and SSL/TLS encryption is dependent on the server configuration and is not shown in the code.