Skip to main content

Non-encrypted confidential information - Credit Cards

Need

Secure encryption and masking of credit card information

Context

  • Usage of TypeScript for type-checking and compiling JavaScript code
  • Usage of Express for building web applications and APIs

Description

Non compliant code

import express from 'express';

const app = express();

app.post('/payment', (req, res) => {
  const creditCardNumber = req.body.creditCardNumber;
  const cvv = req.body.cvv;
  const expirationDate = req.body.expirationDate;

  // Process payment using the credit card information

  res.send('Payment successful');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code is that it is not encrypting or masking the sensitive credit card information (creditCardNumber, cvv, expirationDate) when it is being transported or stored within the application. This means that an attacker who gains access to the system or intercepts the network traffic can easily obtain the credit card information in plain text.

The code receives the credit card information from the request body and then proceeds to process the payment without any encryption or masking. This puts the credit card information at risk of being compromised.

To address this vulnerability, it is recommended to encrypt all sensitive information, such as credit card numbers, CVV codes, and expiration dates, according to the organization's policies. This can be achieved by using secure encryption algorithms and techniques to protect the data both during transport and storage.

Steps

  • Implement encryption for the credit card information before storing or transmitting it
  • Use a secure encryption algorithm and ensure proper key management
  • Update the code to encrypt the credit card information before processing the payment
  • Ensure that the encryption key is securely stored and not hardcoded in the code
  • Consider using a secure tokenization solution to store and process credit card information
  • Regularly review and update encryption practices to align with industry standards and best practices

Compliant code

import express from 'express';
import { encrypt } from 'encryption-library'; // Replace 'encryption-library' with the actual encryption library you are using

const app = express();

app.post('/payment', (req, res) => {
  const creditCardNumber = encrypt(req.body.creditCardNumber); // Encrypt credit card number
  const cvv = encrypt(req.body.cvv); // Encrypt CVV
  const expirationDate = encrypt(req.body.expirationDate); // Encrypt expiration date

  // Process payment using the encrypted credit card information

  res.send('Payment successful');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by encrypting sensitive credit card information before storing or transmitting it within the application. Here's an explanation of the changes made:

  1. The code imports the necessary dependencies, including the 'express' library for building the server and an 'encryption-library' for encrypting the sensitive data. Replace 'encryption-library' with the actual encryption library you are using.

  2. The code creates an instance of the Express application using the 'express()' function.

  3. The code defines a POST route '/payment' that handles payment requests. When a request is made to this route, the code extracts the credit card number, CVV, and expiration date from the request body.

  4. The code then encrypts the credit card number, CVV, and expiration date using the 'encrypt' function from the encryption library. Replace 'encrypt' with the actual encryption function provided by your chosen library.

  5. After encrypting the sensitive information, the code can proceed to process the payment using the encrypted credit card information. This ensures that the credit card details are not exposed in plain text.

  6. Finally, the code sends a response indicating that the payment was successful.

  7. The code starts the server and listens on port 3000 for incoming requests.

By encrypting the credit card information before storing or transmitting it, the fixed code ensures that the sensitive data is protected and not easily accessible to unauthorized individuals.

References

Last updated on