Skip to main content

Insecure functionality - Password management

Need

Secure password management

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

import express from 'express';

const app = express();

app.post('/change-password', (req, res) => {
  const { userId, newPassword } = req.body;
  
  // Insecure functionality - Password management vulnerability
  // Change the password to access the application of one user from another user's session
  // No permission check or authentication is performed here
  
  // Update the password for the given userId
  // This code is vulnerable as it allows changing the password for any user without proper authorization
  
  // ... code to update the password ...
  
  res.send('Password changed successfully');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code lies in the /change-password endpoint. It allows any user to change the password for any other user without proper authorization or permission checks.

The code receives a POST request with the userId and newPassword in the request body. However, it does not perform any authentication or authorization checks to ensure that the user making the request has the necessary permissions to change the password for the specified userId.

This means that any user, regardless of their role or privileges, can send a request to this endpoint and change the password for any other user in the system. This is a serious security flaw as it allows unauthorized access to user accounts and potential misuse of the application.

To fix this vulnerability, proper authentication and authorization mechanisms should be implemented. This could include verifying the user's identity through a login process and checking their permissions or role before allowing them to change the password for a specific user. Additionally, access controls should be implemented to ensure that users can only modify their own configurations within the application.

Steps

  • Implement proper authentication and authorization mechanisms to ensure that only authorized users can change their own passwords.
  • Verify the identity of the user making the password change request by requiring them to provide their current password.
  • Perform permission checks to ensure that the user has the necessary privileges to change their password.
  • Store passwords securely by using strong hashing algorithms and salting techniques.
  • Consider implementing additional security measures such as rate limiting and account lockouts to protect against brute force attacks.
  • Regularly update and patch the application and its dependencies to address any known vulnerabilities.

Compliant code

import express from 'express';

const app = express();

app.post('/change-password', (req, res) => {
  const { userId, currentPassword, newPassword } = req.body;
  
  // Implement proper authentication and authorization mechanisms
  // Verify the identity of the user making the password change request
  // Perform permission checks to ensure the user has necessary privileges
  
  // ... code to authenticate and authorize the user ...
  
  // Update the password for the given userId
  // Store passwords securely using strong hashing algorithms and salting techniques
  
  // ... code to securely update the password ...
  
  res.send('Password changed successfully');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by implementing proper authentication, authorization, and permission checks before allowing a user to change their password.

  1. The code uses the Express framework to create a server.
  2. It defines a route for the '/change-password' endpoint using the POST method.
  3. Inside the route handler, it extracts the necessary data from the request body, including the userId, currentPassword, and newPassword.
  4. The code then implements proper authentication and authorization mechanisms, which are not shown in the code snippet. These mechanisms should verify the identity of the user making the password change request and perform permission checks to ensure the user has the necessary privileges.
  5. After the authentication and authorization checks, the code securely updates the password for the given userId. It is recommended to store passwords securely using strong hashing algorithms and salting techniques, although the specific implementation is not shown in the code snippet.
  6. Finally, the code sends a response indicating that the password has been changed successfully.

By implementing proper authentication, authorization, and permission checks, the code ensures that only authorized users with the necessary privileges can change their passwords. This prevents the possibility of one user changing the password of another user from their session.

References

Last updated on