Automatic information enumeration - Credit Cards - Java

Automatic information enumeration - Credit Cards - Java

Need

Enhancement of credit card validation and security measures

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet.http.* for handling HTTP requests and responses in Java Servlets
  • Usage of java.io.IOException for handling input/output exceptions in Java

Description

Non compliant code

        import javax.servlet.http.*;
import java.io.IOException;

public class CreditCardServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String cardNumber = request.getParameter("cardNumber");
        String expiryDate = request.getParameter("expiryDate");
        String cvv = request.getParameter("cvv");

        // No validation for expiryDate and cvv
        response.getWriter().println("Card Number: " + cardNumber);
        response.getWriter().println("Expiry Date: " + expiryDate);
        response.getWriter().println("CVV: " + cvv);
    }
}
        
        

The above code represents a servlet that handles HTTP GET requests. It reads three parameters from the request: the credit card number ( cardNumber), the expiration date ( expiryDate), and the security code ( cvv).

The vulnerability lies in the fact that the servlet does not perform any validation on the expiryDate and cvv parameters before using them. This means that an attacker can send a GET request with arbitrary values for these parameters and the servlet will simply echo them back in the response.

This could potentially allow an attacker to enumerate credit card information by trying different combinations of expiryDate and cvv values and observing the server's responses. For example, if the server returns a different response when the expiryDate and cvv match a valid credit card stored in the backend, this could be used to identify valid credit cards.

In a real-world scenario, the server would likely be doing something more complex with these values, such as processing a payment, but the same principle applies: without proper validation, an attacker can use automated tools to quickly try many different values and potentially uncover sensitive information.

Steps

  • Implement validation for the expiry date and CVV fields
  • Use a secure method to store and transmit credit card information
  • Consider implementing additional security measures such as encryption and tokenization
  • Regularly update and patch the application to address any new vulnerabilities

Compliant code

        import javax.servlet.http.*;
import java.io.IOException;
import java.time.LocalDate;
import java.time.format.DateTimeFormatter;
import java.util.regex.Pattern;

public class CreditCardServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String cardNumber = request.getParameter("cardNumber");
        String expiryDate = request.getParameter("expiryDate");
        String cvv = request.getParameter("cvv");

        // Validate expiryDate and cvv
        if (isValidExpiryDate(expiryDate) && isValidCVV(cvv)) {
            response.getWriter().println("Card Number: " + cardNumber);
            response.getWriter().println("Expiry Date: " + expiryDate);
            response.getWriter().println("CVV: " + cvv);
        } else {
            response.getWriter().println("Invalid credit card information");
        }
    }

    private boolean isValidExpiryDate(String expiryDate) {
        DateTimeFormatter formatter = DateTimeFormatter.ofPattern("MM/yy");
        try {
            LocalDate date = LocalDate.parse(expiryDate, formatter);
            return date.isAfter(LocalDate.now());
        } catch (Exception e) {
            return false;
        }
    }

    private boolean isValidCVV(String cvv) {
        Pattern pattern = Pattern.compile("^[0-9]{3,4}$");
        return pattern.matcher(cvv).matches();
    }
}
        
        

The updated code now includes validation for both the expiry date and CVV fields.

The isValidExpiryDate method checks if the expiry date is in the correct format (MM/yy) and if the date is after the current date. If the date is not in the correct format or if the date is before the current date, the method will return false, indicating that the expiry date is not valid.

The isValidCVV method checks if the CVV is a 3 or 4 digit number. If the CVV is not a 3 or 4 digit number, the method will return false, indicating that the CVV is not valid.

If either the expiry date or CVV is not valid, the servlet will respond with "Invalid credit card information".

Please note that this code does not include any encryption or tokenization for the credit card information. It is highly recommended to implement such security measures when dealing with sensitive data like credit card information. Regular updates and patches should also be applied to the application to address any new vulnerabilities.

References