Mitigation

Welcome to the third and last part of Sensitive Data Exposure session. In this part, we will discuss sensitive data exposure mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Then, we will discuss how to avoid such vulnerabilities. Let’s have a look at what makes Juice Shop vulnerable. From OWASP Juice Shop project page, we can jump directly to the GitHub repo.

Let’s first check how credit card details are handled by the server.

Cards should be handled by the Finale package, and all operations passed directly to the card model.

The card model mplementation has just the schema, meaning that no operations are performed on user inputs before being stored or read from the database. Let’s check the front end components.

Now we know where the credit card number is masked.

Let’s now have a look at the Search feature to see the source code vulnerable to SQL injection.

As seen in our first session, we have, again, a SQL query template interpolated with user provided data without proper escaping.

You can now better understand the need for brackets in our payload. Let’s move forward and see how passwords are stored on signup.

We’re looking for requests submitted to users’ end points.

Apparently, signup is handled by the Finale package passing data directly to the user model.

Let’s have a look.

Okay, the password hash is computed when setting the user model’s password property value.

The insecurity hash function is used. Let’s check it.

Finally, we have found how password hashes are computed using MD5 with no salt. Let’s discuss how to mitigate these issues. Start classifying all processed, stored, and transmitted data. Identify which data is sensitive according to privacy laws, regulations, and business needs, then apply the appropriate controls as per the classification. Data that is not retained cannot be stolen. Discard the necessary data as soon as possible, or use tokenization or truncation to avoid sensitive data exposure. Choose up to date and strong standard algorithms, protocols, and keys. Encrypt sensitive data at rest. For passwords, use strong adaptive and salted hashing functions. For in-transit data, use secure protocols such as TLS. Disable caching for responses that contain sensitive data.

In our next session, we will discuss XXE, XML External Entities, flaws. Until then, take your time to carefully read the Sensitive Data Exposure section of OWASP Top 10.