Skip main navigation


In this video, you will see how credit card details are handled on the OWASP Juice Shop database, followed by tips on how to mitigate these vulnerabil
Welcome to the third and last part of Sensitive Data Exposure session. In this part, we will discuss sensitive data exposure mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Then, we will discuss how to avoid such vulnerabilities. Let’s have a look at what makes Juice Shop vulnerable. From OWASP Juice Shop project page, we can jump directly to the GitHub repo.
Let’s first check how credit card details are handled by the server.
Cards should be handled by the Finale package, and all operations passed directly to the card model.
The card model mplementation has just the schema, meaning that no operations are performed on user inputs before being stored or read from the database. Let’s check the front end components.
Now we know where the credit card number is masked.
Let’s now have a look at the Search feature to see the source code vulnerable to SQL injection.
As seen in our first session, we have, again, a SQL query template interpolated with user provided data without proper escaping.
You can now better understand the need for brackets in our payload. Let’s move forward and see how passwords are stored on signup.
We’re looking for requests submitted to users’ end points.
Apparently, signup is handled by the Finale package passing data directly to the user model.
Let’s have a look.
Okay, the password hash is computed when setting the user model’s password property value.
The insecurity hash function is used. Let’s check it.
Finally, we have found how password hashes are computed using MD5 with no salt. Let’s discuss how to mitigate these issues. Start classifying all processed, stored, and transmitted data. Identify which data is sensitive according to privacy laws, regulations, and business needs, then apply the appropriate controls as per the classification. Data that is not retained cannot be stolen. Discard the necessary data as soon as possible, or use tokenization or truncation to avoid sensitive data exposure. Choose up to date and strong standard algorithms, protocols, and keys. Encrypt sensitive data at rest. For passwords, use strong adaptive and salted hashing functions. For in-transit data, use secure protocols such as TLS. Disable caching for responses that contain sensitive data.
In our next session, we will discuss XXE, XML External Entities, flaws. Until then, take your time to carefully read the Sensitive Data Exposure section of OWASP Top 10.

In this video, you will see how credit card details are handled on the OWASP Juice Shop database, followed by tips on how to mitigate these vulnerabilities.

You have now learned how to set up your OWASP Juice Shop client database to include credit card information and how to hack the database to access that information. In this video, you will learn how to change your system rules to mitigate these vulnerabilities.

Reflect and share: Were you able to follow along with the video using OWASP Juice Shop to get the same results? Share anything you found challenging or have questions about here.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now