Communications.Unencrypted : Open communication scheme found in code (High Severity Issue)

Question

Communications.Unencrypted : Open communication scheme found in code (High Severity Issue)

anugu-vijaykanth opened this issue 4 years ago · 1 comments

anugu-vijaykanth commented 4 years ago

Stratos Version

Stratos Version 4.4.0

Frontend Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
Other (please specify below)

Expected behaviour

When we do an AppScan static scan, the scanning results shouldn’t yield any vulnerabilities.

Actual behaviour

We ran Appscan and these vulnerabilities were marked as High Severity issues.

Steps to reproduce the behavior

AppScan Go: version 0.1.7

Steps

Open Appscan go application
Checkout the code of Stratos : release 4.4.0 (https://github.com/cloudfoundry/stratos.git) in your local machine.
Choose the type of scan i.e. Complete Security Scan
Click on Browse button and browse to the src folder(except test-e2e folder) of the stratos project that you checkout in step 2.
AppScan Go! retrieves appropriate files from the selected folder and lists them for review. No need to change anything on this just click on Continue button.
Click on Create a new scan button ---> Initiate scan : This will initiate the scan process.
When upload to AppScan on Cloud is complete, click the link review the status or results of the scan in the AppScan on Cloud service(there are lots of high severity issue you will see).

Reference : https://help.hcltechsw.com/appscan/ASoC/src_irx_gen_gui.html

Log output covering before error and any error statements

Insert log hereCopy

###Detailed Description
Exact Location where the issue occurs:
https://github.com/cloudfoundry/stratos/blob/master/src/jetstream/plugins/monocular/cache.go#L371
https://github.com/cloudfoundry/stratos/blob/master/src/jetstream/plugins/monocular/cache.go#L379
https://github.com/cloudfoundry/stratos/blob/master/src/jetstream/plugins/userinvite/invite.go#L380
https://github.com/cloudfoundry/stratos/blob/master/src/jetstream/plugins/cloudfoundryhosting/main.go#L176

Cause:
The application does not use a secure channel, such as TLS/SSL, to exchange sensitive information. Therefore, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.

Sensitive input fields such as usernames, password and credit card numbers are passed unencrypted to the server and/or back to the user.

Fix recommendation:
You should always transmit all data over a TLS/SSL connection only. This includes all communications with browsers. It also includes all backend connections with databases, servers, and other services.

In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site.

Always enforce the use of an encrypted connection (e.g. TLS/SSL), and not allow access to sensitive information using unencrypted HTTP.

Use TLS 1.2 or TLS 1.3 and use strong cryptographic hashing algorithms and cipher suites.

###Context
Open communication scheme found in Code.

###Possible Implementation

Answer 1 · 2021-04-12T13:01:38.000Z

When the internet and all services there in switch to https we can come back and address this in Stratos