logo

Database

Need

Prevention of unauthorized access and manipulation of restricted fields

Context

• Usage of TypeScript for statically typed JavaScript development

• Usage of Express for building web applications and APIs

Description

1. Non compliant code

import express from 'express';

const app = express();
const employees = [
  { id: 1, name: 'John Doe', email: 'john@example.com', dni: '123456789' },
  { id: 2, name: 'Jane Smith', email: 'jane@example.com', dni: '987654321' },
];
app.put('/employees/:id', (req, res) => {...

The vulnerability in this code is that it allows an attacker to manipulate the restricted field (DNI) of other employees from different companies. The vulnerability arises from the fact that the code does not verify if the user making the request has the necessary permissions to modify the employee information. In the code, there is an endpoint defined as `PUT /employees/:id` which is used to update the DNI of an employee. The `id` parameter is used to identify the employee to be updated. The `dni` field is taken from the request body and used to update the employee's DNI. However, there is no check to ensure that the user making the request has the necessary permissions to modify the employee information. This means that any user, even without proper authorization, can send a request to this endpoint and modify the DNI of any employee in the `employees` array. This vulnerability allows an attacker to impersonate other employees by changing their DNI, and as a result, they can modify or replace the personal information of targeted employees, such as names, email addresses, dates of birth, addresses, and telephone numbers. To mitigate this vulnerability, the code should include a check to verify that the user making the request has the necessary permissions to modify the employee information. This could be done by implementing an authentication and authorization mechanism to ensure that only authorized users can access and modify the employee data.

2. Steps

• Implement authentication and authorization mechanisms to ensure that only authorized users can modify employee information.

• Validate the user's permissions before allowing them to update employee information.

• Add input validation to ensure that the provided DNI is in the correct format and meets any other necessary criteria.

• Consider implementing rate limiting or other security measures to prevent abuse and protect against brute force attacks.

• Store sensitive employee information securely, such as encrypting the DNI before storing it in the database.

• Regularly review and update the code to address any new security vulnerabilities or best practices.

3. Secure code example

import express from 'express';

const app = express();
const employees = [
  { id: 1, name: 'John Doe', email: 'john@example.com', dni: '123456789' },
  { id: 2, name: 'Jane Smith', email: 'jane@example.com', dni: '987654321' },
];
app.put('/employees/:id', (req, res) => {...

The fixed code addresses the vulnerability by implementing several measures to ensure the safety of the application. 1. The code defines an array of employee objects with their respective properties such as id, name, email, and dni. 2. The code sets up an Express server and defines a PUT route for updating employee information. The route expects the employee id as a parameter and the new dni value in the request body. 3. The code first checks if the employee with the given id exists in the employees array. If not, it returns a 404 error response indicating that the employee was not found. 4. Next, the code checks if the user making the request has the necessary permissions to update employee information. This is done by calling the `userHasPermission` function, which should contain the authentication and authorization logic. If the user does not have the necessary permissions, a 403 error response is returned. 5. The code then validates the provided dni value by calling the `isValidDNI` function. This function should contain the validation logic for the dni. If the dni is invalid, a 400 error response is returned. 6. Finally, if all the checks pass, the code updates the dni value of the employee object and returns a success message in the response. 7. The code also includes helper functions `userHasPermission` and `isValidDNI` which are placeholders for the actual implementation. These functions should be implemented with the appropriate logic for authentication, authorization, and dni validation. Overall, the fixed code ensures that only authorized users can update employee information and validates the provided dni value to prevent any unauthorized changes to employee data.