logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Automatic information enumeration - Credit Cards - Php

Need

Enhancement of credit card validation and security measures

Context

  1. Usage of PHP 7.0 for server-side scripting and web development
  2. Usage of Illuminate\\Http\\Request for handling HTTP requests in Laravel
  3. Usage of the CreditCard model in the App\\Models namespace

Description

Insecure Code Example

<?php

namespace App\\Http\\Controllers;

use Illuminate\\Http\\Request;
use App\\Models\\CreditCard;

class CreditCardController extends Controller
{
    public function getCreditCardDetails(Request $request)
    {
        $creditCard = CreditCard::where('card_number', $request->card_number)->first();
        return response()->json($creditCard);
    }
}

In the code above, the `getCreditCardDetails` function in the `CreditCardController` class fetches the credit card details based on the card number provided in the request without validating whether the request is coming from an authenticated and authorized user. It's using Laravel's Eloquent ORM to fetch the credit card details from the database. The vulnerability here is that anyone who knows a card number can retrieve the associated card's details, including sensitive information like the card's expiration date and security code. This is a serious security issue as it could lead to credit card information theft and unauthorized transactions. This vulnerability is due to a lack of proper access control and validation of requests. The system should not expose sensitive information without validating the requester's identity and their authorization to access such information.

Steps

  1. Add authentication middleware to the controller to ensure only authorized users can access the credit card details.
  2. Implement input validation to check if the provided card number is valid and belongs to the authenticated user.
  3. Encrypt sensitive data such as the card number, expiration date, and security code in the database.
  4. Do not return sensitive data like the security code and expiration date in the API response. If necessary, mask part of the card number.
  5. Implement rate limiting to prevent brute force attacks or automated enumeration of card details.

Secure Code Example

<?php

namespace App\\Http\\Controllers;

use Illuminate\\Http\\Request;
use App\\Models\\CreditCard;
use Illuminate\\Support\\Facades\\Auth;
use Illuminate\\Support\\Facades\\Crypt;

class CreditCardController extends Controller
{
    public function __construct()
    {
        $this->middleware('auth');
    }

    public function getCreditCardDetails(Request $request)
    {
        $request->validate([
            'card_number' => 'required|exists:credit_cards,card_number,user_id,' . Auth::id(),
        ]);

        $creditCard = CreditCard::where('card_number', Crypt::encrypt($request->card_number))
                                ->where('user_id', Auth::id())
                                ->first(['card_number', 'card_holder_name']);

        if ($creditCard) {
            $creditCard->card_number = '**** **** **** ' . substr($creditCard->card_number, -4);
        }

        return response()->json($creditCard);
    }
}

The updated code includes several security measures to prevent automatic information enumeration of credit card details. 1. **Authentication Middleware**: The `__construct` method now includes a middleware that ensures only authenticated users can access the `getCreditCardDetails` method. 2. **Input Validation**: The `getCreditCardDetails` method now validates the incoming request to ensure the `card_number` is provided and exists in the `credit_cards` table for the authenticated user. 3. **Data Encryption**: The `card_number` is now encrypted before being stored in the database using Laravel's `Crypt` facade. This ensures that even if the database is compromised, the credit card details will not be exposed. 4. **Limited Data Exposure**: The `getCreditCardDetails` method now only returns the `card_number` and `card_holder_name`. The `card_number` is also masked, with only the last four digits visible. 5. **Rate Limiting**: Although not shown in the code, it is recommended to implement rate limiting on this endpoint to prevent brute force attacks or automated enumeration of card details. This can be done using Laravel's built-in rate limiting features.

References

  • 254 - Automatic information enumeration - Credit Cards

    • Last updated

    2023/09/18