Technical information leak - Credentials
Need
Protection of sensitive credentials from being exposed
Context
- Usage of TypeScript for statically typed JavaScript development
- Usage of Express for building web applications and APIs
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
res.send(`
<html>
<head>
<script>
const directLineSecretKey = 'YOUR_DIRECT_LINE_SECRET_KEY';
// Rest of the login page script
</script>
</head>
<body>
<!-- Login form -->
</body>
</html>
`);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is a technical information leak. The issue lies in the fact that the script included in the login page response contains the BotChat Direct Line Secret Key in plain text.
In the vulnerable code, when the /login route is accessed, the server sends an HTML response that includes a script tag. Inside the script tag, the Direct Line Secret Key is assigned to the directLineSecretKey variable. This means that anyone who has access to the login page source code can easily read the secret key.
This vulnerability can have a significant impact as an attacker can obtain the Direct Line Secret Key and potentially connect directly to the application bot, bypassing any authentication or security measures.
To mitigate this vulnerability, it is recommended to minify and obfuscate the script code to make it harder for an attacker to read and understand the secret key. Additionally, sensitive information like the Direct Line Secret Key should not be directly included in the code. Instead, it should be stored securely, such as using a vault service or environment variables, to protect it from unauthorized access.
Steps
- Remove the direct line secret key from the script in the login page
- Store the direct line secret key securely, such as in a vault service or environment variables
- Minify and obfuscate the script to make it harder for attackers to read
Compliant code
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
res.send(`
<html>
<head>
<script src="https://example.com/minified-and-obfuscated-script.js"></script>
</head>
<body>
<!-- Login form -->
</body>
</html>
`);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code is written in TypeScript and uses the Express framework to create a server.
First, we import the necessary modules, including the 'express' module.
Then, we create an instance of the Express application by calling the 'express()' function and assign it to the 'app' variable.
Next, we define a route for the '/login' endpoint using the 'app.get()' method. When a GET request is made to this endpoint, the server will respond with an HTML page that includes a script tag.
In this case, the script source is set to 'https://example.com/minified-and-obfuscated-script.js', indicating that the script file is hosted externally.
The HTML page also contains a login form, which is not relevant to the vulnerability fix.
Finally, we start the server by calling the 'app.listen()' method and specifying the port number (3000 in this case). This will make the server listen for incoming requests on port 3000.
Overall, this fixed code does not directly address the vulnerability described. To mitigate the vulnerability, the script file should be minified and obfuscated to prevent the secret key from being easily readable. Additionally, sensitive information like the secret key should be stored securely, such as using a vault service or environment variables.