Exercise 29: Sensitive Data Exposure (Encryption)

Objective

Learn how to exploit vulnerabilities related to Sensitive Data Exposure, particularly focusing on weak or absent encryption. Understand how to secure sensitive information through strong encryption practices for data storage and transmission.

Scenario

You are testing a web application that handles sensitive user data, such as passwords and credit card information. The application stores this data in plaintext and transmits it over an unencrypted HTTP connection. Your goal is to exploit this vulnerability by intercepting data in transit and accessing sensitive data stored insecurely.

Lab Setup

Prerequisites:

• Basic knowledge of PHP, databases, and encryption.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
• Wireshark or Burp Suite installed for traffic interception.

Step 1: Create the Vulnerable Web Application

Database Setup

Create a new database and users table:

CREATE DATABASE sensitive_data_lab;
USE sensitive_data_lab;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) NOT NULL,
    password VARCHAR(100) NOT NULL,
    credit_card VARCHAR(20) NOT NULL
);

PHP Script for User Registration (Insecure)

Create a file register.php:

<?php
$conn = mysqli_connect("localhost", "root", "", "sensitive_data_lab");

if (isset($_POST['register'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];  // Stored in plaintext
    $credit_card = $_POST['credit_card'];

    $query = "INSERT INTO users (username, password, credit_card) VALUES ('$username', '$password', '$credit_card')";
    mysqli_query($conn, $query);

    echo "<h2>Registration Successful!</h2>";
}
?>

<h2>User Registration</h2>
<form method="POST" action="">
    Username: <input type="text" name="username" required><br>
    Password: <input type="password" name="password" required><br>
    Credit Card Number: <input type="text" name="credit_card" required><br>
    <button type="submit" name="register">Register</button>
</form>

Running the Application

• Start the Apache server.
• Place register.php in the web server’s root directory (htdocs for XAMPP).
• Open http://localhost/register.php in your browser.

Exploitation Steps

Step 1: Intercepting Data in Transit

1. Open Wireshark or Burp Suite.
2. Start capturing network traffic while submitting the registration form.
3. Expected Result:
   • Plaintext username, password, and credit card data are visible in the network traffic.

Step 2: Accessing Data Stored in Plaintext

Access the database:

SELECT * FROM users;

Expected Result:

Passwords and credit card numbers are stored in plaintext.

Solution and Prevention

Problem Analysis

• The application stores sensitive data in plaintext and transmits it over an unencrypted connection.

Fixing the Vulnerability

Use Strong Password Hashing

Replace plaintext password storage with secure hashing:

$password = password_hash($_POST['password'], PASSWORD_BCRYPT);

Encrypt Sensitive Data Before Storage

Encrypt credit card information using AES-256:

$encryption_key = openssl_random_pseudo_bytes(32);
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
$encrypted_cc = openssl_encrypt($_POST['credit_card'], 'aes-256-cbc', $encryption_key, 0, $iv);

Implement HTTPS for Secure Transmission

Configure SSL/TLS on the web server to enforce HTTPS.

Redirect HTTP requests to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Apply Proper Key Management

Store encryption keys securely using key management systems (e.g., AWS KMS, HashiCorp Vault).

Use PCI DSS Compliance Standards

Follow PCI DSS guidelines for handling credit card data.

Testing After Fix

1. Submit the registration form after applying encryption.
2. Intercept the traffic using Wireshark/Burp Suite.
3. Expected Result:
   • Data in transit is encrypted, and sensitive data is securely stored in the database.

Conclusion

In this lab, you exploited Sensitive Data Exposure by intercepting plaintext data and accessing unencrypted database records. You also learned how to mitigate this risk through password hashing, strong encryption (AES-256), enforcing HTTPS, and implementing proper key management practices.