Use of insecure channel - Source code
Need
Secure transmission of customer information
Context
• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in a Node.js application
• Usage of shelf_io for managing and interacting with data storage in Node.js
Description
1. Non compliant code
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);
}...The above code represents a simple backend server using the Shelf framework in Dart. The server is set up to listen on `localhost` at port `8080` and responds to all incoming requests with a simple message containing the requested URL. The vulnerability in this code lies in the fact that it uses an insecure HTTP channel to communicate, which does not provide any form of encryption for the transmitted data. This means that any sensitive information, such as customer data, that is transmitted over this channel can be intercepted and read by malicious third parties. In the context of this code, the vulnerability is specifically in the `io.serve(handler, 'localhost', 8080);` line. This line sets up the server to listen for incoming connections, but it does not specify any form of encryption to be used, thus creating an insecure channel. To exploit this vulnerability, an attacker would simply need to intercept the communication between the server and a client. Since the data is not encrypted, they would be able to read and potentially misuse any information they capture.
2. Steps
• Import the 'shelf' and 'shelf_io' packages from the 'shelf' library.
• Replace the 'serve' function with the 'serveSecure' function to enable secure communication.
• Provide the necessary parameters for the 'serveSecure' function, including the server certificate and private key.
• Ensure that the server certificate and private key are stored securely and are not accessible to unauthorized users.
• Test the application to ensure that customer information is now transmitted over a secure channel.
3. Secure code example
import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);
  var serverCertificate = new SecurityContext()...The updated code now uses the `serveSecure` function from the `shelf_io` package instead of the `serve` function. This function enables secure communication over the network by using SSL/TLS encryption. A `SecurityContext` object is created, which is used to specify the server certificate and private key. The `useCertificateChain` method is used to specify the path to the server certificate, and the `usePrivateKey` method is used to specify the path to the private key. The password for the private key is also provided. The `serveSecure` function is then called with the handler, the hostname, the port, and the `SecurityContext` object as parameters. This ensures that all communication over the network is encrypted and secure. Please note that the paths to the server certificate and private key, as well as the password for the private key, should be stored securely and not be accessible to unauthorized users. After implementing these changes, test the application to ensure that customer information is now transmitted over a secure channel.
References
• 332. Use of insecure channel - Source code