Skip to main content

Automatic information enumeration - Credit Cards

Need

Enhancement of credit card validation and security measures

Context

  • Usage of C# 7.0 for modern language features and enhancements
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.EntityFrameworkCore for database access and object-relational mapping (ORM) in .NET applications

Description

Non compliant code

public class CreditCard
{
    public string CardNumber { get; set; }
    public string ExpiryDate { get; set; }
    public string SecurityCode { get; set; }
}

public class CreditCardController : Controller
{
    private readonly ApplicationDbContext _context;

    public CreditCardController(ApplicationDbContext context)
    {
        _context = context;
    }

    public async Task<IActionResult> Index()
    {
        return View(await _context.CreditCards.ToListAsync());
    }
}

The vulnerable code above represents a Credit Card model and a controller that returns a list of all credit card information stored in the database.

The CreditCard class is a simple model that has properties for CardNumber, ExpiryDate, and SecurityCode. This is a common way to represent credit card information in an application.

The CreditCardController class is a controller that has a method Index which returns a view with a list of all credit cards. This method does not perform any validation or checks on the credit card information before it is returned.

This is problematic because it allows for automatic enumeration of credit card information. An attacker could potentially access this endpoint and receive a list of all credit card information stored in the database.

The lack of validation on the ExpiryDate and SecurityCode fields means that even expired or otherwise invalid credit cards will be returned. This could potentially expose even more sensitive information to an attacker.

To sum up, the vulnerability lies in the fact that the Index method in the CreditCardController class does not perform any validation or checks before returning credit card information. This allows for automatic enumeration of credit card information, which is a serious security risk.

Steps

  • Implement validation for the credit card expiration date and security code.
  • Use a secure method to store credit card information, such as encryption or tokenization.
  • Implement access controls to restrict who can view credit card information.
  • Regularly update and patch the application to ensure it is protected against known vulnerabilities.
  • Implement logging and monitoring to detect any unauthorized access or suspicious activity related to credit card information.

Compliant code

public class CreditCard
{
    public string CardNumber { get; set; }
    public string ExpiryDate { get; set; }
    public string SecurityCode { get; set; }
}

public class CreditCardController : Controller
{
    private readonly ApplicationDbContext _context;

    public CreditCardController(ApplicationDbContext context)
    {
        _context = context;
    }

    [Authorize(Roles = "Admin")]
    public async Task<IActionResult> Index()
    {
        return View(await _context.CreditCards.ToListAsync());
    }
}

public class CreditCardViewModel
{
    [Required]
    [CreditCard]
    public string CardNumber { get; set; }

    [Required]
    [DataType(DataType.Date)]
    [DisplayFormat(ApplyFormatInEditMode = true, DataFormatString = "{0:MM/yyyy}")]
    public DateTime ExpiryDate { get; set; }

    [Required]
    [RegularExpression(@"^\\d{3}$", ErrorMessage = "Invalid Security Code")]
    public string SecurityCode { get; set; }
}

The code above fixes the vulnerability by implementing the following changes:

  1. Validation: The CreditCardViewModel class is introduced to validate the credit card information. The CardNumber property is decorated with the [CreditCard] attribute to ensure it's a valid credit card number. The ExpiryDate property is decorated with the [DataType(DataType.Date)] attribute to ensure it's a valid date. The SecurityCode property is decorated with the [RegularExpression(@"^\\d{3}$", ErrorMessage = "Invalid Security Code")] attribute to ensure it's a 3-digit number.

  2. Access Control: The Index action method in the CreditCardController class is decorated with the [Authorize(Roles = "Admin")] attribute to restrict access to only users with the "Admin" role.

  3. Secure Storage: The credit card information should be stored securely. This can be achieved by encrypting the data before storing it in the database. The encryption and decryption process should be done in a secure environment and the encryption keys should be managed properly.

  4. Regular Updates and Patches: Regularly update and patch the application to ensure it is protected against known vulnerabilities. This includes updating the ASP.NET Core framework and any third-party libraries used in the application.

  5. Logging and Monitoring: Implement logging and monitoring to detect any unauthorized access or suspicious activity related to credit card information. This can be achieved by using built-in ASP.NET Core logging or third-party logging libraries.

References

Last updated on