Skip main navigation

Mitigation

In this video, you will see how credit card details are handled on the OWASP Juice Shop database, followed by tips on how to mitigate these vulnerabil
6.9
Welcome to the third and last part of Sensitive Data Exposure session. In this part, we will discuss sensitive data exposure mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Then, we will discuss how to avoid such vulnerabilities. Let’s have a look at what makes Juice Shop vulnerable. From OWASP Juice Shop project page, we can jump directly to the GitHub repo.
42.6
Let’s first check how credit card details are handled by the server.
66.4
Cards should be handled by the Finale package, and all operations passed directly to the card model.
108.6
The card model mplementation has just the schema, meaning that no operations are performed on user inputs before being stored or read from the database. Let’s check the front end components.
165.1
Now we know where the credit card number is masked.
170.8
Let’s now have a look at the Search feature to see the source code vulnerable to SQL injection.
233.8
As seen in our first session, we have, again, a SQL query template interpolated with user provided data without proper escaping.
246.6
You can now better understand the need for brackets in our payload. Let’s move forward and see how passwords are stored on signup.
269.8
We’re looking for requests submitted to users’ end points.
283.5
Apparently, signup is handled by the Finale package passing data directly to the user model.
302
Let’s have a look.
327.6
Okay, the password hash is computed when setting the user model’s password property value.
337
The insecurity hash function is used. Let’s check it.
361.1
Finally, we have found how password hashes are computed using MD5 with no salt. Let’s discuss how to mitigate these issues. Start classifying all processed, stored, and transmitted data. Identify which data is sensitive according to privacy laws, regulations, and business needs, then apply the appropriate controls as per the classification. Data that is not retained cannot be stolen. Discard the necessary data as soon as possible, or use tokenization or truncation to avoid sensitive data exposure. Choose up to date and strong standard algorithms, protocols, and keys. Encrypt sensitive data at rest. For passwords, use strong adaptive and salted hashing functions. For in-transit data, use secure protocols such as TLS. Disable caching for responses that contain sensitive data.
418.1
In our next session, we will discuss XXE, XML External Entities, flaws. Until then, take your time to carefully read the Sensitive Data Exposure section of OWASP Top 10.

In this video, you will see how credit card details are handled on the OWASP Juice Shop database, followed by tips on how to mitigate these vulnerabilities.

You have now learned how to set up your OWASP Juice Shop client database to include credit card information and how to hack the database to access that information. In this video, you will learn how to change your system rules to mitigate these vulnerabilities.

Reflect and share: Were you able to follow along with the video using OWASP Juice Shop to get the same results? Share anything you found challenging or have questions about here.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education