Javascript Insecure Sensitive Information File Storage
Description
This detector identifies JavaScript code that writes sensitive information to files using insecure file system operations. When sensitive data is stored in files without proper protection, it can be accessed by unauthorized users or processes, leading to data exposure and potential security breaches.
Detection Strategy
• Scans JavaScript code for file system write operations using the 'fs' module (or its aliases)
• Identifies calls to file system write methods like writeFile, writeFileSync, appendFile, appendFileSync and other write operations defined in FS_WRITE_SINKS
• Detects stream write operations using 'write' and 'writeln' methods on file streams
• Validates that the write operations are unsafe by checking if they involve the file system module
• Reports vulnerabilities when these file write operations are found, as they may be storing sensitive information insecurely
Vulnerable code example
const fs = require('fs');
const express = require('express');
const app = express();
app.post('/save-card', (req, res) => {
const cvv = req.body.cvv; // User input
// Storing sensitive PCI data in cleartext...✅ Secure code example
const fs = require('fs');
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json());
app.post('/save-card', (req, res) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.