Sensitive information sent insecurely
Need
Secure transmission of sensitive information
Context
• Usage of Ruby 2.7 for developing Ruby applications
• Usage of net-http for handling HTTP requests and responses in Node.js
• Usage of URI for parsing and manipulating Uniform Resource Identifiers (URIs)
• Usage of ActiveRecord for Object-Relational Mapping (ORM) in Ruby on Rails
Description
1. Non compliant code
def send_data
  user = User.find(params[:id])
  sensitive_data = user.sensitive_data
  uri = URI('http://example.com/api')
  Net::HTTP.post_form(uri, 'data' => sensitive_data)
endThe above Ruby on Rails code snippet is a representation of the vulnerability "Sensitive information sent insecurely". In this code, we are fetching a user's sensitive data from the database and sending it to an external API. The vulnerability here is that the sensitive data is being sent over an insecure HTTP connection. HTTP is not secure because it does not encrypt the data being transferred. This means that anyone who can intercept the connection (for example, on a public Wi-Fi network) could potentially read and misuse this sensitive data. The `Net::HTTP.post_form` method is used to send a POST request to the specified URI. The second parameter to this method is a Hash that contains the data to be sent. In this case, the Hash contains the sensitive data of the user. The `URI('http://example.com/api')` is the insecure endpoint where the data is being sent. As you can see, it uses the `http` protocol, which is not secure. If this were a real application, this endpoint should be using the `https` protocol instead, which encrypts the data being sent and ensures its confidentiality and integrity. The `user.sensitive_data` is just a placeholder for the actual sensitive data of the user. This could be anything from the user's password, credit card information, personal identifiable information (PII), etc.
2. Steps
• Use HTTPS instead of HTTP to ensure secure communication.
• Implement encryption to protect the sensitive data during transmission.
• Consider using a secure API endpoint with proper authentication and authorization mechanisms.
• Implement input validation and sanitization to prevent any potential injection attacks.
• Avoid sending sensitive data in the request parameters or query strings.
• Store sensitive data securely in the backend and retrieve it when needed, instead of sending it directly in the request.
• Follow secure coding practices and guidelines provided by the Ruby on Rails framework.
• Regularly update and patch the Ruby on Rails framework to address any security vulnerabilities.
• Perform security testing and code reviews to identify and fix any other potential vulnerabilities.
3. Secure code example
require 'net/https'
require 'uri'
def send_data
  user = User.find(params[:id])
  sensitive_data = user.sensitive_data
...The updated code now sends the sensitive data over HTTPS, which is a secure protocol that encrypts the data during transmission, ensuring its confidentiality and integrity. The `Net::HTTP` library in Ruby is used to send HTTP requests. The `use_ssl` property is set to `true` to enable HTTPS. The `verify_mode` is set to `OpenSSL::SSL::VERIFY_PEER` to verify the server's SSL certificate. The `Net::HTTP::Post` class is used to create a POST request. The sensitive data is included in the form data of the request. The `set_form_data` method is used to set the form data in the request. The `http.request(request)` method is used to send the POST request to the server and the response from the server is stored in the `response` variable. This code should be used in a secure environment where the server's SSL certificate can be verified. If the server's SSL certificate cannot be verified, the connection should not be trusted, and the sensitive data should not be sent. This code does not include any error handling. In a production environment, you should add appropriate error handling code to handle any potential errors or exceptions that may occur when sending the HTTP request. This code assumes that the sensitive data is a string. If the sensitive data is not a string, you will need to convert it to a string before including it in the form data. This code does not include any authentication or authorization mechanisms. If the API endpoint requires authentication or authorization, you will need to include the appropriate headers or parameters in the request.
References
• 017. Sensitive information sent insecurely