Insecure HTTP methods enabled
Need
Restriction of insecure HTTP methods
Context
- Usage of TypeScript for statically typed JavaScript development
- Usage of Express for building web applications and APIs
Description
Non compliant code
import express from 'express';
const app = express();
// Enable insecure HTTP methods
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, TRACE');
next();
});
// Routes
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in the given code is that it enables insecure HTTP methods such as TRACE, PUT, and DELETE on the server. This can lead to potential security risks.
By using the app.use middleware, the code sets the Access-Control-Allow-Methods header to include these insecure methods: GET, POST, PUT, DELETE, and TRACE. This means that the server allows requests using these methods.
The TRACE method can be exploited by attackers to perform cross-site tracing attacks. This attack allows them to retrieve sensitive information, such as authentication cookies, from the victim's browser.
The PUT and DELETE methods can be misused by attackers to modify or delete files on the server. If not properly secured, this can lead to unauthorized access or data loss.
Enabling these insecure HTTP methods increases the probability of various attacks, including Cross-Site Scripting (XSS) and Cross-Site Leaks.
To mitigate this vulnerability, it is recommended to configure secure methods for server requests and disable the insecure methods like TRACE, PUT, and DELETE.
Steps
- Remove the insecure HTTP methods from the 'Access-Control-Allow-Methods' header
- Configure secure HTTP methods for the 'Access-Control-Allow-Methods' header
- Verify and update the routes to use secure HTTP methods only
Compliant code
import express from 'express';
const app = express();
// Configure secure HTTP methods for the 'Access-Control-Allow-Methods' header
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Methods', 'GET, POST');
next();
});
// Routes
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code is written in TypeScript using the Express framework. It addresses the vulnerability by configuring secure HTTP methods for the server's requests.
First, the code imports the Express module and creates an instance of the application.
Next, a middleware function is added using the app.use() method. This middleware sets the 'Access-Control-Allow-Methods' header to only allow the 'GET' and 'POST' methods. This ensures that insecure methods like TRACE, PUT, and DELETE are not enabled on the server.
After that, a route is defined for the root URL ("/") using the app.get() method. In this case, it simply sends the response 'Hello World!' when a GET request is made to the root URL.
Finally, the server is started and listens on port 3000 using the app.listen() method. A message is logged to the console to indicate that the server is running.
By explicitly setting the allowed HTTP methods in the 'Access-Control-Allow-Methods' header, the code restricts the server to only accept safe methods, mitigating the vulnerability.