Server Insecure Transport

ID

javascript.server_insecure_transport

Severity

high

Resource

Information Leak

Language

JavaScript

Tags

CWE:319, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4

Description

A web server is started without SSL/TLS support, which means that the server is not authenticated with the client, traffic is not encrypted, and data can be changed on transit.

Rationale

SSL/TLS (Secure Sockets Layer/Transport Layer Security) is crucial for securing online communications by encrypting data between a client’s browser and a server. This encryption ensures that sensitive information, such as passwords and credit card numbers, cannot be intercepted or read by unauthorized parties during transmission.

SSL/TLS also verifies the identity of websites, building trust with users and enhancing the credibility of online services. Furthermore, search engines like Google favor HTTPS-enabled sites in their rankings.

Without properly configuring SSL/TLS, a server is vulnerable to several risks:

  • Data Interception: Sensitive data can be easily intercepted and read by hackers, leading to identity theft and financial fraud.

  • Man-in-the-Middle Attacks: Threat actors can modify data during transmission, potentially injecting malware or altering transaction details.

  • SEO Penalties: Search engines may penalize non-HTTPS sites by ranking them lower, reducing visibility and traffic.

  • User Trust Issues: Users may be warned by browsers that the site is not secure, leading to a loss of trust and potential abandonment of the site.

The following example shows a basic Express server running over HTTP:

const express = require('express');
const app = express();
const port = 8080;

app.get('/', (req, res) => {
  // ... your logic ...
});

app.listen(port, () => {
    console.log(`Server running on http://localhost:${port}`);
});

Remediation

To fix the security issue, you can configure the server to use HTTPS by obtaining an SSL/TLS certificate and key. The certificate should be signed by a well-known and trusted certificate authority (CA).

Care must be taken to ensure that the private key is protected from unauthorized access and properly accessed when starting the server. The private key is usually encrypted and the password or key used to decrypt it should be protected from unauthorized access.

Here is how you can modify the Express server to use SSL/TLS:

const express = require('express');
const https = require('https');
const fs = require('fs');
const path = require('path');
const app = express();
const port = 8443;

// Load SSL/TLS certificate and key
const options = {
    key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),
    cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
};

app.get('/', (req, res) => {
   // ... your logic ...
});

// Create HTTPS server
const server = https.createServer(options, app);

server.listen(port, () => {
    console.log(`Server running on https://localhost:${port}`);
});

In this example, replace certs/host.key and certs/host.crt with the paths to your actual private key and certificate files. Decryption of encrypted private key is not shown for simplicity.

Configuration

The rule has the following configurable parameters:

  • onlyHttps (true / false, default: false): If true, any non-https server running will be reported. Otherwise, any http server will be reported if no other https server is also running.

References