Automatic Information Enumeration - Credit Cards - Elixir

Need

To prevent the listing and exposure of credit card information by implementing proper validation.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Ecto (3.6.2 and above) for database query and manipulation
Usage of Plug (1.11.1 and above) for building composable web applications in Elixir

Description

Insecure Code Example

defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    {:ok, card} = MyApp.Card.create_card(card_params)
    render(conn, "card.json", card: card)
  end
end

This code is vulnerable because there's no validation of the expiration date and security code of the credit card. This lack of validation could allow an attacker to list credit card information.

Steps

Implement validation for the expiration date and security code in the card creation function.
Install a credit card validation library if available.

Secure Code Example

defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    with :ok <- MyApp.Card.validate_card(card_params),
         {:ok, card} <- MyApp.Card.create_card(card_params) do
      render(conn, "card.json", card: card)
    else
      _ -> send_resp(conn, :bad_request, "Invalid card information.")
    end
  end
end

In this secure code example, we've added a card validation step using the `validate_card` function. This function checks the expiration date and security code of the credit card before creating it.

References

254 - Automatic Information Enumeration - Credit Cards

Last updated

2023/09/18