Business information leak - Credit Cards - Java

Business information leak - Credit Cards - Java

Need

Protection of sensitive business information and customer credit card data

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with Servlet technology
  • Usage of java.io for input and output operations in Java programming

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class CreditCardServlet extends HttpServlet {
    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String creditcardId = request.getParameter("creditcardId");
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        out.println("");
        out.println("

Your credit card Id is " + creditcardId + "

"); out.println(""); } }

The above code is a simple servlet that reads the creditcardId from the request and directly prints it in the response. This is a serious security flaw as it exposes sensitive customer data, in this case, the credit card ID, to anyone who can intercept the response.

Here is how the vulnerability works:

1. The servlet takes a parameter creditcardId from the HTTP request: String creditcardId = request.getParameter("creditcardId");.

2. The servlet then directly includes this credit card ID in the HTTP response without any form of encryption or obfuscation: out.println("

Your credit card Id is " + creditcardId + "

");.

This means that anyone who can intercept the HTTP response, for example by using a man-in-the-middle attack, can read the customer's credit card ID. This information could then be used for malicious purposes, such as identity theft or credit card fraud.

Moreover, if the application logs the HTTP responses for debugging purposes, the credit card IDs would also be stored in the logs, creating yet another potential point of data leakage.

Steps

  • Avoid storing sensitive information, such as credit card data, in variables that are directly used in the response.
  • Implement proper data handling and storage mechanisms to ensure the security of sensitive information.
  • Use encryption and secure protocols (e.g., HTTPS) to protect data transmission between the client and server.
  • Implement access controls and authentication mechanisms to restrict access to sensitive information.
  • Regularly update and patch the software to address any known vulnerabilities.
  • Conduct security testing and code reviews to identify and fix any potential vulnerabilities.
  • Follow secure coding practices and guidelines to minimize the risk of introducing vulnerabilities.

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.security.Key;

public class CreditCardServlet extends HttpServlet {
    private static String algorithm = "AES";
    private static byte[] keyValue=new byte[] {'A', 'S', 'e', 'c', 'r', 'e', 't', 'K', 'e', 'y', '1', '2', '3', '4', '5', '6'};

    // Encrypts the credit card ID
    private static String encrypt(String plainText) throws Exception {
        Key key = generateKey();
        Cipher chiper = Cipher.getInstance(algorithm);
        chiper.init(Cipher.ENCRYPT_MODE, key);
        byte[] encVal = chiper.doFinal(plainText.getBytes());
        String encryptedValue = Base64.getEncoder().encodeToString(encVal);
        return encryptedValue;
    }

    // Generates a key for encryption
    private static Key generateKey() throws Exception {
        Key key = new SecretKeySpec(keyValue, algorithm);
        return key;
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String creditcardId = request.getParameter("creditcardId");
        String encryptedCreditCardId = "";
        try {
            encryptedCreditCardId = encrypt(creditcardId);
        } catch (Exception e) {
            e.printStackTrace();
        }
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        out.println("");
        out.println("

Your encrypted credit card Id is " + encryptedCreditCardId + "

"); out.println(""); } }

The updated code now includes encryption for the credit card ID. The encryption is done using the AES algorithm. The encrypt method takes the plain text credit card ID and encrypts it using a secret key. The generateKey method generates this secret key.

In the doPost method, the credit card ID is retrieved from the request, encrypted, and then included in the response. This ensures that even if the response is intercepted, the credit card ID will not be exposed because it is encrypted.

This is a basic level of protection and should be supplemented with other security measures such as using HTTPS for data transmission, implementing access controls and authentication, regularly updating and patching the software, conducting security testing and code reviews, and following secure coding practices.

References