Business Information Leak - Credit Cards
Need
Prevent credit card information from being exposed in responses
Context
• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for building web applications (version 1.5.0 and above)
Description
1. Non compliant code
defmodule MyApp.UserController do
use MyApp, :controller
def show(conn, %{"id" => id}) do
user = Repo.get!(User, id)
render(conn, "show.json", user: user)
end
...This code is returning the user's credit card information in the response to the 'show' request. If an attacker can access the responses to these requests, they can obtain sensitive credit card information.
2. Steps
• Do not include sensitive information like credit card data in the response.
• Always sanitize data before sending it in a response.
3. Secure code example
defmodule MyApp.UserController do
use MyApp, :controller
def show(conn, %{"id" => id}) do
user = Repo.get!(User, id)
render(conn, "show.json", user: user)
end
...The secure code does not include the user's credit card information in the response, thus protecting sensitive data.
References
• 217. Business Information Leak - Credit Cards