Insecure functionality - Masking
Need
Secure data masking
Context
- Usage of TypeScript for statically typed JavaScript development
- Usage of Express for building web applications and handling HTTP requests
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/user/:id', (req, res) => {
const userId = req.params.id;
const userData = {
id: userId,
name: 'John Doe',
email: '[email protected]',
password: 'password123',
};
res.json(userData);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is related to insecure functionality - masking.
In the code, when a GET request is made to the '/user/:id' endpoint, the server retrieves the user ID from the request parameters. It then creates an object called userData which contains sensitive information such as the user's name, email, and password. Finally, it sends this userData object as a JSON response.
The problem is that the code does not mask or protect the sensitive information in any way. When the response is sent back to the client, it includes the user's password in plain text. This means that if an attacker intercepts or gains unauthorized access to the response, they can easily extract the user's password.
This vulnerability can have serious consequences as it allows an attacker to become aware of sensitive and confidential user information, compromising the security and privacy of the users.
To fix this vulnerability, the system should ensure that sensitive information, such as passwords, are properly masked or encrypted before being sent in the response. Additionally, sensitive data should be transmitted over a secure channel or method that guarantees its confidentiality and integrity, such as using HTTPS instead of HTTP.
Steps
- Do not include sensitive information in the response data
- Mask or encrypt sensitive information before sending it in the response
- Implement authentication and authorization mechanisms to restrict access to sensitive data
- Use secure channels or methods to transmit sensitive information
Compliant code
import express from 'express';
const app = express();
app.get('/user/:id', (req, res) => {
const userId = req.params.id;
const userData = {
id: userId,
name: 'John Doe',
};
res.json(userData);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code is written in TypeScript and uses the Express framework to create a server.
In this code, there is a single route defined using the app.get() method. The route is /user/:id, where :id is a dynamic parameter that represents the user ID.
Inside the route handler function, the user ID is extracted from the request parameters using req.params.id. Then, a userData object is created with a hardcoded name and the extracted user ID.
Instead of directly sending the userData object as a response, it is passed to the res.json() method. This method serializes the object into JSON format and sets the appropriate headers to indicate that the response contains JSON data.
By using res.json(), the sensitive information is not directly exposed in the response. This ensures that the data is properly masked and the confidentiality of the user information is maintained.
Finally, the server is started on port 3000 using the app.listen() method, and a message is logged to the console to indicate that the server is running.