logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Use of an insecure channel - HTTP - Dart

Need

Secure transmission of client information

Context

  1. Usage of Dart for building cross-platform mobile, web, and desktop applications
  2. Usage of Shelf for managing database models and queries
  3. Usage of shelf_io for managing and interacting with data storage in an organized manner

Description

Insecure Code Example

import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 80).then((server) {
    print('Serving at http://${server.address.host}:${server.port}');
  });
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}

The above code snippet represents a simple HTTP server set up using the Dart `shelf` package. The server listens on `localhost` and on port `80`, which is the default port for HTTP. The function `_echoRequest` is used as the handler for all incoming requests. It simply returns a response with the requested URL. The vulnerability lies in the use of HTTP protocol over port `80`, which does not use encryption. This means that all data transmitted between the client and the server is not secured and can be intercepted in plain text. This is a serious security risk, especially when dealing with sensitive data such as user credentials or confidential information.

Steps

  1. Switch from HTTP to HTTPS. HTTPS is a secure version of HTTP. It encrypts all communication between your browser and the website, ensuring that all data passed between them remains private.
  2. To use HTTPS, you need to obtain a SSL/TLS certificate from a Certificate Authority (CA). This certificate not only enables encryption, but also verifies the identity of your website.
  3. Once you have the certificate, install it on your server. The process varies depending on your server software.
  4. After installing the certificate, modify your server to listen on port 443, the default port for HTTPS, instead of port 80.
  5. Update your application to redirect HTTP traffic to HTTPS. This ensures that even if a user tries to access your site via HTTP, they will be redirected to the secure HTTPS version.
  6. Finally, test your implementation to ensure that HTTPS is working correctly. You can do this by trying to access your site via HTTP and HTTPS. The HTTP version should redirect to HTTPS, and the HTTPS version should load without any security warnings.

Secure Code Example

import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  // Load the certificate and private key for the HTTPS server.
  var context = SecurityContext()
    ..useCertificateChain('path/to/certificate.pem')
    ..usePrivateKey('path/to/private_key.pem', password: 'password');

  io.serve(handler, 'localhost', 443, context: context).then((server) {
    print('Serving at https://${server.address.host}:${server.port}');
  });
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}

The updated code now uses HTTPS instead of HTTP. This is achieved by creating a `SecurityContext` and loading the SSL/TLS certificate and private key into it. The `SecurityContext` is then passed to the `serve` function, which starts the server on port 443, the default port for HTTPS. The certificate and private key are loaded from files specified by the paths 'path/to/certificate.pem' and 'path/to/private_key.pem'. Replace these with the actual paths to your certificate and private key files. If your private key is password-protected, replace 'password' with the actual password. This change ensures that all communication between the client and the server is encrypted, protecting sensitive information from being intercepted in transit. Please note that you need to obtain a SSL/TLS certificate from a Certificate Authority (CA) and install it on your server. The certificate not only enables encryption, but also verifies the identity of your website. After making these changes, test your implementation to ensure that HTTPS is working correctly. You can do this by trying to access your site via HTTP and HTTPS. The HTTP version should redirect to HTTPS, and the HTTPS version should load without any security warnings.

References

  • 372 - Use of an insecure channel - HTTP

    • Last updated

    2023/09/18