Business information leak - Credit Cards - Dart

Business information leak - Credit Cards - Dart

Need

Protection of customer credit card data and business information confidentiality

Context

  • Usage of Dart 2.0 for building scalable and performant applications
  • Usage of Shelf for managing data persistence and querying in Node.js applications

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

class CreditCard {
  String creditCardId;
  String cardNumber;
  String cardHolderName;
  String expiryDate;
  String cvv;
  
  CreditCard({this.creditCardId, this.cardNumber, this.cardHolderName, this.expiryDate, this.cvv});
}

class CreditCardHandler {
  shelf.Response handleRequest(shelf.Request request) {
    var creditCard = CreditCard(
      creditCardId: '1234567890',
      cardNumber: '4111111111111111',
      cardHolderName: 'John Doe',
      expiryDate: '12/2025',
      cvv: '123'
    );

    return shelf.Response.ok(creditCard.creditCardId);
  }
}
        
        

The above code demonstrates a Dart backend application using the Shelf framework. In this code, a CreditCard class is defined with properties related to credit card information such as creditCardId, cardNumber, cardHolderName, expiryDate, and cvv.

A CreditCardHandler class is also defined which includes a handleRequest method. This method creates a CreditCard object with hard-coded credit card information and returns a response with the creditCardId.

The vulnerability here is that the creditCardId is being exposed in the response. This creditCardId could potentially be used to identify and access more sensitive credit card information. Moreover, the method handleRequest is not validating the request or checking for any authentication or authorization. This means any client can make a request and receive the creditCardId, leading to a business information leak.

Steps

  • Firstly, ensure that sensitive data such as credit card information is not exposed in any form. This includes not sending such data in responses to requests.
  • Implement proper access controls to ensure that only authorized users can access sensitive data.
  • Encrypt sensitive data at rest and in transit. This includes the credit card information.
  • Use secure methods for storing and transmitting sensitive data. Avoid storing sensitive data in plain text.
  • Regularly audit your code and systems for security vulnerabilities and fix them promptly.
  • Implement proper error handling to prevent information leaks through error messages.
  • Consider using tokenization or other secure methods for handling credit card data, instead of dealing with the actual credit card numbers.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'dart:convert';

class CreditCard {
  String creditCardId;
  String cardNumber;
  String cardHolderName;
  String expiryDate;
  String cvv;
  
  CreditCard({this.creditCardId, this.cardNumber, this.cardHolderName, this.expiryDate, this.cvv});

  // Convert CreditCard object into JSON object
  Map toJson() => {
    'creditCardId': creditCardId,
    'cardHolderName': cardHolderName,
    'expiryDate': expiryDate,
  };
}

class CreditCardHandler {
  shelf.Response handleRequest(shelf.Request request) {
    var creditCard = CreditCard(
      creditCardId: '1234567890',
      cardNumber: '4111111111111111',
      cardHolderName: 'John Doe',
      expiryDate: '12/2025',
      cvv: '123'
    );

    // Convert CreditCard object into JSON object
    var creditCardJson = jsonEncode(creditCard.toJson());

    return shelf.Response.ok(creditCardJson);
  }
}
        
        

The updated code now ensures that sensitive data such as the credit card number and CVV are not exposed in the response to requests. This is achieved by implementing a toJson() method in the CreditCard class that only includes the creditCardId, cardHolderName, and expiryDate in the JSON object. The cardNumber and cvv are excluded from the JSON object, thus preventing their exposure.

In the CreditCardHandler class, the handleRequest() method now uses the toJson() method to convert the CreditCard object into a JSON object before sending it in the response. This ensures that only the necessary data is included in the response, and sensitive data is not exposed.

Please note that this is just a basic fix. For a production environment, it is recommended to implement proper access controls, encrypt sensitive data at rest and in transit, use secure methods for storing and transmitting sensitive data, regularly audit your code and systems for security vulnerabilities, implement proper error handling, and consider using tokenization or other secure methods for handling credit card data.

References