2

I recently took over a service at work that handles credit card encryption. It a Spring Boot 2.0 application and credit card info is passed in via a POST api.

Our security team was able to obtain credit card numbers using memory scraping attack, and I'm looking for ways to fix this.

Credit card number is stored as string in the request DTO. Here are relevant code

public ResponseEntity<ResponseDTO> saveCreditCard(@RequestBody @Validated CreditCardDTO creditCardDTO){ 
.... 
}

@Data
@NoArgsConstructor
public class CreditCardDTO {
    @CreditCardNumber
    private String ccNumber;
...
}

Is this the root cause of this security issue? Shouldn't the DTO be GCed once the request is completed? The application has a 2G heap and very low traffic, is it possible for Java to not trigger GC for weeks?

Also, what are my remedy options? I do want to keep validations like @CreditCardNumber. And changing the API format is probably not acceptable.

IMO setting the DTO to null or calling System.gc() isn't guaranteed to work. Plus the GC pause could be an issue as well.

Matthew
  • 21
  • 1
  • 1
    "*Credit card number is stored as string...*" - That is definitively a security concern. A `String` is an immutable object, and object cannot explicitly destroyed. The common way to handle, e.g., passwords is using `char[]` instead of `String` (see [this question](https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords) by [Ahmed](https://stackoverflow.com/users/953140/ahamed)). – Turing85 Mar 05 '21 at 19:55
  • There's a documented version of SecureString from Oracle that is posted here: https://stackoverflow.com/questions/51242150/java-equivalent-of-securestring. This would be the best way to deal with this. – Joe Mar 05 '21 at 20:17
  • @Turing85 Yeah I totally agree the string should be the issue. But the hibernate validator `@CreditCardNumber` doesn't work for char[] or even long... Why would they make something like this? Or is this the wrong usage for this annotation – Matthew Mar 05 '21 at 21:02

0 Answers0