Downloading executeables or other sensitive files over an unencrypted connection

can leave a server open to man-in-the-middle attacks (MITM).

Such a man-in-the-middle attack can allow an attacker to insert arbitary content

into the downloaded file, and in the worst case allow the attacker to execute

arbitary code on the vulnerable system.

Use an transfer protocol that includes encryption when downloading executeables or other sensitive files.

In this example a server downloads a shell script from a remote URL using the <code>node-fetch</code>

library, and then executes this shell script.

<sample src="examples/insecure-download.js" />

<p>

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded

shell script with arbitary code, which allows the attacker complete control over the attacked system.

</p>

<p>

The issue has been fixed in the below example by replacing the HTTP protocol with the HTTPS protocol.

</p>

<sample src="examples/insecure-download.js" />

<li>OWASP: <a href="https://owasp.org/www-community/attacks/Man-in-the-middle_attack">Man-in-the-middle attack</a>.</li>