Audit: Insecure clear text protocol JS-D019

Misconfiguring your application to use unsafe clear text protocols can lead to exposure of sensitive information.

Clear-text protocols such as ftp or insecure http do not encrypt data. They also do not have the ability to start an authenticated connection. This means any attacker who can sniff traffic from the network can read, modify or corrupt the transported content. These protocols expose applications to a wide range of risks:

• Sensitive data exposure
• Traffic redirection to a malicious endpoint
• Malware infected software updates or installers
• Execution of unauthorized client side code
• Corruption of critical information

This issue checks for insecure configurations in the following libraries:

• ftp
• nodemailer

Bad Practice

// nodemailer
import nodemailer from 'nodemailer'
const transporter = nodemailer.createTransport({ secure: false, requireTLS: false })

// ftp
import Client from 'ftp'
const client = new Client()
client.connect({ secure: false })

Recommended

// nodemailer
import nodemailer from 'nodemailer'
const transporter = nodemailer.createTransport({
  secure: true,
  requireTLS: true
})

// ftp
import Client from 'ftp'
const client = new Client()
client.connect({
  secure: true // Compliant
})

References

• OWASP A02:2021 - Cryptographic Failures
• Missing Encryption of Sensitive Data
• Cleartext Transmission of Sensitive Information
• Exposure of Sensitive Information to an Unauthorized Actor