Skip to main content

Automatic information enumeration - Credit Cards

Need

Enhancement of credit card validation and security measures

Context

  • Usage of Dart for building cross-platform mobile, web, and server applications
  • Usage of Shelf for managing and organizing data in Node.js applications

Description

Non compliant code

import 'package:shelf/shelf.dart' as shelf;

class CreditCard {
  String number;
  String expiryDate;
  String securityCode;

  CreditCard(this.number, this.expiryDate, this.securityCode);
}

class CreditCardController {
  shelf.Response getCreditCardDetails(CreditCard card) {
    return shelf.Response.ok('Card Number: ${card.number}, Expiry Date: ${card.expiryDate}, Security Code: ${card.securityCode}');
  }
}

The above code illustrates a potential vulnerability where credit card information can be automatically listed without any validation checks.

The CreditCard class is a simple data model that represents a credit card with fields for number, expiry date, and security code.

The CreditCardController class has a method getCreditCardDetails which accepts a CreditCard object and returns a response with the card number, expiry date, and security code.

The vulnerability lies in the getCreditCardDetails method. This method is not validating the credit card's expiry date and security code before returning them in the response. This could potentially allow an attacker to enumerate credit card information.

It's important to note that exposing sensitive information like credit card details (especially the security code) in any form is a serious security concern and should be avoided.

Steps

  • Implement input validation for the credit card details. This includes checking the format and validity of the card number, expiry date, and security code.
  • Do not return sensitive data like the security code in the response. This information should never be exposed, even if the request is legitimate.
  • Encrypt sensitive data like the credit card number and security code when storing or transmitting them. Use strong encryption algorithms and manage keys securely.
  • Implement access controls to ensure that only authorized users can view or modify credit card details. This could involve checking the user's role or permissions before processing the request.
  • Log and monitor activities related to credit card details. This can help detect and respond to suspicious behavior or security incidents.

Compliant code

import 'package:shelf/shelf.dart' as shelf;
import 'package:crypto/crypto.dart';
import 'dart:convert'; // for the utf8.encode method

class CreditCard {
  String number;
  String expiryDate;
  String securityCode;

  CreditCard(this.number, this.expiryDate, this.securityCode);

  // Validate card details
  bool validateDetails() {
    // Add your validation logic here
    // For example, check the format and validity of the card number, expiry date, and security code
    return true;
  }

  // Encrypt sensitive data
  String encryptData(String data) {
    var bytes = utf8.encode(data); // data being hashed
    var digest = sha256.convert(bytes);
    return digest.toString();
  }
}

class CreditCardController {
  // Implement access controls
  bool checkUserPermissions(User user) {
    // Add your access control logic here
    // For example, check the user's role or permissions
    return true;
  }

  shelf.Response getCreditCardDetails(CreditCard card, User user) {
    if (!card.validateDetails() || !checkUserPermissions(user)) {
      return shelf.Response.forbidden('Access denied');
    }

    var encryptedNumber = card.encryptData(card.number);
    var encryptedSecurityCode = card.encryptData(card.securityCode);

    // Do not return sensitive data like the security code in the response
    return shelf.Response.ok('Card Number: $encryptedNumber, Expiry Date: ${card.expiryDate}');
  }
}

The updated code includes several security improvements:

  • Input validation: The validateDetails method in the CreditCard class checks the format and validity of the card number, expiry date, and security code. This prevents automatic information enumeration by rejecting invalid or suspicious input.

  • Data encryption: The encryptData method in the CreditCard class encrypts sensitive data using the SHA-256 algorithm. This ensures that even if the data is intercepted or leaked, it cannot be easily read or misused.

  • Access controls: The checkUserPermissions method in the CreditCardController class checks whether the user is authorized to view or modify the credit card details. This prevents unauthorized access and modification of sensitive data.

  • Sensitive data exposure: The getCreditCardDetails method in the CreditCardController class no longer returns the security code in the response. This reduces the risk of sensitive data exposure.

Remember to also implement logging and monitoring for activities related to credit card details. This can help detect and respond to suspicious behavior or security incidents.

References

Last updated on