In alignment with the PCI DSS standard, sensitive information regarding payment cards must be masked and encrypted at the user end and at the server end.
Obtain credit card information.
Encrypt all sensitive information that is transported or stored within the application according to the organizations policies.
Unauthorized insider attacker performing a MitM.
Expected Remediation Time
⌚ 120 minutes.
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
- Attack vector: A
- Attack complexity: H
- Privileges required: N
- User interaction: R
- Scope: U
- Confidentiality: L
- Integrity: N
- Availability: N
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
- Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
- Base: 2.6
- Temporal: 2.6
- Base: Low
- Temporal: Low
All sensitive information is securely encrypted
const crypto = require('crypto');
const CIPHER_ALGORITHM = 'aes-256-ctr';
const key = createKey();
let kg = new KeyGen(key, CIPHER_ALGORITHM);
cipheredNumber = kg.cipher(hashed_CCNumber);
//Be aware you need special secure infrastructure to securely store the keys and be sure to rotate them regularly
Non compliant code
The application unsafely saves a hash number that could be accessed through user credentials