HIGH cryptographic failureshapijavascript

Cryptographic Failures in Hapi (Javascript)

Scan for cryptographic failures in hapi

Cryptographic Failures in Hapi with Javascript — how this specific combination creates or exposes the vulnerability

Cryptographic failures occur when applications fail to properly implement or enforce encryption and key management, and Hapi applications written in JavaScript are susceptible when cryptography is misused or omitted. In Hapi, these failures commonly arise in three dimensions: transport security, data protection at rest or in transit, and insecure use of cryptographic primitives in business logic.

In the transport dimension, a Hapi server that terminates HTTP without enforcing HTTPS can expose session tokens, authentication headers, or serialized JWTs to network interception. JavaScript code that constructs URLs or redirects without enforcing TLS can lead to downgrade attacks or cleartext transmission of sensitive information. For example, a route that redirects to an http:// endpoint or serves cookies without the Secure flag increases the likelihood of session hijacking.

At the data protection dimension, storing or transmitting sensitive data such as passwords, API keys, or PII without appropriate cryptographic safeguards is a common failure in Hapi services built with JavaScript. Using weak or deprecated algorithms (e.g., MD5 for hashing, static IVs with AES-CBC, or no authentication tag with encryption) can allow attackers to recover plaintext or forge tokens. Storing secrets in environment variables is not sufficient if the application logs them, serializes them insecurely, or fails to validate inputs that may lead to insecure deserialization or prototype pollution.

In the cryptographic primitives dimension, JavaScript developers using Hapi may inadvertently introduce weaknesses by selecting insecure algorithms, reusing nonces, or mishandling keys. For instance, using a static initialization vector or deriving keys without a proper key-derivation function (e.g., missing salt or iterations in PBKDF2) undermines confidentiality. Similarly, failing to verify the integrity of incoming JWTs or webhook signatures can lead to token tampering or webhook replay attacks. These issues are especially impactful when combined with Hapi’s rich plugin ecosystem, where misconfigured routes or extensions may inadvertently expose unauthenticated endpoints that handle sensitive data without encryption or proper validation.

middleBrick’s unauthenticated scan detects such cryptographic failures by analyzing the API surface and OpenAPI specification, identifying routes that transmit data without TLS, inspect headers for missing security attributes, and flag weak or missing cryptographic controls. The scan checks for indicators such as cleartext credentials in logs, missing Secure and HttpOnly cookie flags, and improper usage of cryptographic libraries. Findings include severity, a description of the vulnerability, and remediation guidance mapped to frameworks like OWASP API Top 10 and common misuses in JavaScript Hapi services.

Javascript-Specific Remediation in Hapi — concrete code fixes

To remediate cryptographic failures in Hapi with JavaScript, enforce transport security, apply strong cryptographic primitives, and harden data handling. Below are concrete code examples and configurations that address each dimension.

1. Enforce HTTPS and secure transport

Ensure the server only listens on HTTPS and that critical routes require TLS. Configure cookies with Secure and HttpOnly flags, and avoid insecure redirects.

const Hapi = require('@hapi/hapi');
const tlsOptions = {
  key: require('fs').readFileSync('/path/to/server.key'),
  cert: require('fs').readFileSync('/path/to/server.crt')
};

const init = async () => {
  const server = Hapi.server({
    port: 443,
    host: 'api.example.com',
    tls: tlsOptions
  });

  server.route({
    method: 'GET',
    path: '/secure-data',
    options: {
      handler: (request, h) => {
        // Ensure sensitive responses are only sent over HTTPS
        return { message: 'Secure payload' };
      },
      cookies: {
        // Enforce Secure and HttpOnly for session cookies
        parse: true,
        failAction: 'error'
      }
    }
  });

  await server.start();
  console.log('HTTPS server running on', server.info.uri);
};

init().catch(err => {
  console.error(err);
});

2. Strong password hashing and key derivation

Use a strong, adaptive key-derivation function for passwords and secrets. Avoid plain hashes or weak algorithms. With JavaScript, prefer scrypt or bcrypt via a well-maintained library.

const bcrypt = require('@hapi/bcrypt');

const hashPassword = async (plain) => {
  const saltRounds = 12;
  return await bcrypt.hash(plain, saltRounds);
};

const verifyPassword = async (plain, hashed) => {
  return await bcrypt.compare(plain, hashed);
};

// Usage in a Hapi handler
server.route({
  method: 'POST',
  path: '/register',
  handler: async (request, h) => {
    const { username, password } = request.payload;
    const hashed = await hashPassword(password);
    // Store username and hashed in database
    return h.response({ registered: true }).code(201);
  }
});

3. Secure JWT handling and input validation

When using JWTs, always verify signatures, enforce strong algorithms, set appropriate expiration, and validate input to prevent tampering and injection.

const jwt = require('@hapi/joi');
const Jwt = require('jsonwebtoken');

const signToken = (payload) => {
  return Jwt.sign(payload, process.env.JWT_SECRET, { algorithm: 'HS256', expiresIn: '15m' });
};

const verifyToken = (token) => {
  try {
    return Jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
  } catch (err) {
    throw new Error('Invalid token');
  }
};

server.route({
  method: 'GET',
  path: '/profile',
  options: {
    validate: {
      headers: jwt.object({
        authorization: jwt.string().required().regex(/^Bearer\s+/)
      })
    },
    handler: (request, h) => {
      const token = request.headers.authorization.split(' ')[1];
      const decoded = verifyToken(token);
      return { user: decoded.sub };
    }
  }
});

4. Prevent logging and serialization of secrets

Ensure sensitive values are not inadvertently logged or serialized. Sanitize inputs and outputs, and avoid including secrets in URLs or error messages.

const safeLogger = (data) => {
  const { password, apiKey, ...safe } = data;
  console.log('Safe payload:', safe);
};

// Example usage
safeLogger({ username: 'alice', password: 's3cret', apiKey: 'ak_live_xxx' });

By combining HTTPS enforcement, strong key derivation, strict JWT validation, and careful handling of secrets, Hapi applications written in JavaScript can mitigate cryptographic failures. middleBrick’s scans highlight these areas and provide prioritized findings with remediation guidance to help reduce risk.

Scan for cryptographic failures in hapi Free API security scan

Frequently Asked Questions

How does middleBrick detect cryptographic failures in Hapi APIs?
middleBrick analyzes the API surface and, when available, the OpenAPI/Swagger specification to identify routes that transmit data without TLS, inspect security headers, and flag weak or missing cryptographic controls such as missing Secure/HttpOnly cookie flags, cleartext credentials, and improper use of hashing or encryption primitives.
Can middleBrick fix cryptographic issues in my Hapi service?
middleBrick detects and reports cryptographic failures and provides remediation guidance. It does not automatically fix, patch, block, or remediate issues; developers should apply the suggested fixes, such as enforcing HTTPS, using strong key derivation, and securing cookie attributes.

Related Pages

Cryptographic Failures in HapiDiscover cryptographic failures in Hapi applications including weak authentication, insecure session management, and traCWE-1104 in Hapi (Javascript)Explore CWE-1104 in Hapi with JavaScript, understand how missing validation creates incorrect element usage, and apply cCWE-116 in Hapi (Javascript)Explore CWE-116 in Hapi with JavaScript: causes, reflected XSS examples, and secure coding fixes using escape-html and hCWE-113 in Hapi (Javascript)CWE-113 in Hapi with JavaScript: causes, risks, and fixes including header and cookie sanitization and Joi validation exCWE-1039 in Hapi (Javascript)CWE-1039 in Hapi with JavaScript: causes and JavaScript-specific fixes with secure code examples.Hipaa: Cryptographic Failures in HapiHIPAA, cryptographic failures, and Hapi: how insecure encryption and TLS expose ePHI, plus concrete Hapi code fixes to eGdpr: Cryptographic Failures in HapiExplore GDPR risks in cryptographic failures with Hapi APIs. Learn Hapi-specific fixes and secure code examples for HTTPIso 27001: Cryptographic Failures in HapiExplore ISO 27001 controls for cryptographic failures in Hapi APIs with practical code examples and remediation guidanceCryptographic Failures in Hapi with Jwt TokensExplore cryptographic failures with Jwt Tokens in Hapi, see remediation examples, and learn how middleBrick detects thesCryptographic Failures in Hapi with Basic AuthExplore cryptographic failures with Basic Auth in Hapi, practical remediation code, and how middleBrick detects weaknessCryptographic Failures in Hapi with Api KeysExplore cryptographic failures in Hapi with API keys, including TLS enforcement, secure validation, and key rotation patCis: Cryptographic Failures in HapiUnderstand CIS-related cryptographic failures in Hapi servers and apply concrete Hapi code fixes to enforce TLS, validat