Technical information leak
Need
Protection of sensitive technical information from unauthorized access or disclosure
Context
- Usage of TypeScript for type-checking and compiling JavaScript code
- Usage of Express for building web applications and handling HTTP requests
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server started on port 3000');
});
The vulnerability in the given code is a technical information leak. This occurs because the server is not configured to eliminate the service banner or hide any sensitive information in the HTTP headers.
In the code, an Express server is created and a route is defined for the root URL ("/"). When a request is made to the root URL, the server responds with the message "Hello World!".
However, the vulnerability lies in the fact that the server does not eliminate the service banner or hide any sensitive information in the HTTP headers. This means that when a client makes a request to this server, the server's version and other technical information may be exposed in the HTTP headers.
This information can be used by attackers to gain knowledge about the server's configuration and version, which can help them in creating new attack vectors. Attackers can exploit known vulnerabilities in specific versions of server components or use the obtained information to plan targeted attacks.
To mitigate this vulnerability, the server should be configured to eliminate the service banner and ensure that the HTTP headers do not display any sensitive information such as server names or versions.
Steps
- Remove the console.log statement that displays the server start message
- Configure the Express app to disable the server banner
- Remove any unnecessary HTTP headers that may leak information
Compliant code
import express from 'express';
const app = express();
app.disable('x-powered-by');
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000);
The fixed code is written in TypeScript and uses the Express framework to create a server. It addresses the vulnerability of technical information leak by implementing the following measures:
-
The code imports the 'express' module and creates an instance of the Express application using the
express()function. -
The
app.disable('x-powered-by')line disables the default 'x-powered-by' header in the HTTP response. This header often reveals information about the server technology being used, which can be exploited by attackers. By disabling this header, the code prevents the leakage of server information. -
The code defines a route for the root URL ('/') using the
app.get()method. When a GET request is made to the root URL, the server responds with the message 'Hello World!'. -
Finally, the
app.listen(3000)line starts the server and listens on port 3000 for incoming requests.
By disabling the 'x-powered-by' header and not exposing any specific information in the HTTP response headers, the fixed code ensures that technical information about the server and its components is not leaked, mitigating the risk of creating new attack vectors.