Automatic Information Enumeration

Automatic Information Enumeration - Credit Cards

Need

To prevent the listing and exposure of credit card information by implementing proper validation.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Ecto (3.6.2 and above) for database query and manipulation

• Usage of Plug (1.11.1 and above) for building composable web applications in Elixir

Description

1. Non compliant code

defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    {:ok, card} = MyApp.Card.create_card(card_params)
    render(conn, "card.json", card: card)
  end
end

This code is vulnerable because there's no validation of the expiration date and security code of the credit card. This lack of validation could allow an attacker to list credit card information.

2. Steps

• Implement validation for the expiration date and security code in the card creation function.

• Install a credit card validation library if available.

3. Secure code example

defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    with :ok <- MyApp.Card.validate_card(card_params),
         {:ok, card} <- MyApp.Card.create_card(card_params) do
      render(conn, "card.json", card: card)
      _ -> send_resp(conn, :bad_request, "Invalid card information.")...

In this secure code example, we've added a card validation step using the `validate_card` function. This function checks the expiration date and security code of the credit card before creating it.

References

• 254. Automatic Information Enumeration - Credit Cards

On this page