update privacy example

OWASP · cpholguera · Feb 14, 2024 · Oct 13, 2023 · Oct 13, 2023 · Oct 14, 2023
commit 186d731f93340a7fac9eea1c3847346e70505a4a
diff --git a/...ve-data-in-network-traffic/android-data-in-traffic-capture/example-1/example.md b/...ve-data-in-network-traffic/android-data-in-traffic-capture/example-1/example.md
@@ -1,6 +1,6 @@
 ---
 platform: android
-title: Detecting User Name and Password in Network Traffic
+title: Detecting Sensitive Data in Network Traffic
 tools: [mitmproxy]
 code: [kotlin]
 ---
@@ -27,8 +27,8 @@ The script has identified several instances in the network traffic where sensiti
 
 Review each of the reported instances.
 
-- The first instance is a POST request to `https://httpbin.org/post` which contains the user and password in the request body.
-- The second instance is a response from `https://httpbin.org/post` which contains the user and password in the response body.
+- The first instance is a POST request to `https://httpbin.org/post` which contains the sensitive data values in the request body.
+- The second instance is a response from `https://httpbin.org/post` which contains the sensitive data values in the response body.
 
 This is a dummy example, but in a real-world scenario, you should determine which of the reported instances are privacy-relevant and need to be addressed. You can use the list of sensitive data you identified in the [Identify your sensitive data](MASTG-KNOW-0001) section as a reference.
 

diff --git a/...ata-in-network-traffic/android-data-in-traffic-capture/example-1/mitm_sensitive_logger.py b/...ata-in-network-traffic/android-data-in-traffic-capture/example-1/mitm_sensitive_logger.py
@@ -1,6 +1,17 @@
 from mitmproxy import http
 
-SENSITIVE_STRINGS = ["dummyPassword", "sampleUser"]
+# This data would come from another file and should be defined after identifying the data that is considered sensitive for this application.
+# For example by using the Google Play Store Data Safety section.
+SENSITIVE_DATA = {
+    "precise_location_latitude": "37.7749",
+    "precise_location_longitude": "-122.4194",
+    "name": "John Doe",
+    "email_address": "john.doe@example.com",
+    "phone_number": "+11234567890",
+    "credit_card_number": "1234 5678 9012 3456"
+}
+
+SENSITIVE_STRINGS = SENSITIVE_DATA.values()
 
 def contains_sensitive_data(string):
     return any(sensitive in string for sensitive in SENSITIVE_STRINGS)
@@ -14,18 +25,16 @@ def process_flow(flow):
 
     if (contains_sensitive_data(url) or 
         contains_sensitive_data(request_body) or 
-        any(contains_sensitive_data(header) for header in request_headers.values()) or
-        any(contains_sensitive_data(header) for header in response_headers.values()) or
         contains_sensitive_data(response_body)):
         with open("sensitive_data.log", "a") as file:
             if flow.response:
-                file.write(f"RESPONSE URL: {flow.request.pretty_url}\n")
-                file.write(f"Response Headers: {flow.response.headers}\n")
-                file.write(f"Response Body: {flow.response.text}\n\n")
+                file.write(f"RESPONSE URL: {url}\n")
+                file.write(f"Response Headers: {response_headers}\n")
+                file.write(f"Response Body: {response_body}\n\n")
             else:
-                file.write(f"REQUEST URL: {flow.request.pretty_url}\n")
-                file.write(f"Request Headers: {flow.request.headers}\n")
-                file.write(f"Request Body: {flow.request.text}\n\n")
+                file.write(f"REQUEST URL: {url}\n")
+                file.write(f"Request Headers: {request_headers}\n")
+                file.write(f"Request Body: {request_body}\n\n")
 def request(flow: http.HTTPFlow):
     process_flow(flow)
 

diff --git a/...ve-data-in-network-traffic/android-data-in-traffic-capture/example-1/send-post-request.kt b/...ve-data-in-network-traffic/android-data-in-traffic-capture/example-1/send-post-request.kt
@@ -1,3 +1,12 @@
+val SENSITIVE_DATA = mapOf(
+    "precise_location_latitude" to "37.7749",
+    "precise_location_longitude" to "-122.4194",
+    "name" to "John Doe",
+    "email_address" to "john.doe@example.com",
+    "phone_number" to "+11234567890",
+    "credit_card_number" to "1234 5678 9012 3456"
+)
+
 val thread = Thread {
     try {
         val url = URL("https://httpbin.org/post")
@@ -6,10 +15,10 @@ val thread = Thread {
         httpURLConnection.doOutput = true
         httpURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
 
-        val user = "sampleUser"
-        val password = "dummyPassword"
-
-        val postData = "username=$user&password=$password"
+        // Creating POST data from the SENSITIVE_DATA map
+        val postData = SENSITIVE_DATA.map { (key, value) ->
+            "${URLEncoder.encode(key, "UTF-8")}=${URLEncoder.encode(value, "UTF-8")}"
+        }.joinToString("&")
 
         val outputStream = BufferedOutputStream(httpURLConnection.outputStream)
         val bufferedWriter = BufferedWriter(OutputStreamWriter(outputStream, "UTF-8"))
@@ -29,4 +38,4 @@ val thread = Thread {
         e.printStackTrace()
     }
 }
-thread.start()
+thread.start()
diff --git a/...tive-data-in-network-traffic/android-data-in-traffic-capture/example-1/sensitive_data.log b/...tive-data-in-network-traffic/android-data-in-traffic-capture/example-1/sensitive_data.log
@@ -1,28 +1,30 @@
 REQUEST URL: https://httpbin.org/post
-Request Headers: Headers[(b'Content-Type', b'application/x-www-form-urlencoded'), (b'User-Agent', b'Dalvik/2.1.0 (Linux; U; Android 13; sdk_gphone64_arm64 Build/TE1A.220922.021)'), (b'Host', b'httpbin.org'), (b'Connection', b'Keep-Alive'), (b'Accept-Encoding', b'gzip'), (b'Content-Length', b'42')]
-Request Body: username=sampleUser&password=dummyPassword
+Request Headers: Headers[(b'Content-Type', b'application/x-www-form-urlencoded'), (b'User-Agent', b'Dalvik/2.1.0 (Linux; U; Android 13; sdk_gphone64_arm64 Build/TE1A.220922.021)'), (b'Host', b'httpbin.org'), (b'Connection', b'Keep-Alive'), (b'Accept-Encoding', b'gzip'), (b'Content-Length', b'188')]
+Request Body: precise_location_latitude=37.7749&precise_location_longitude=-122.4194&name=John+Doe&email_address=john.doe%40example.com&phone_number=%2B11234567890&credit_card_number=1234+5678+9012+3456
 
 RESPONSE URL: https://httpbin.org/post
-Response Headers: Headers[(b'Date', b'Tue, 16 Jan 2024 09:08:08 GMT'), (b'Content-Type', b'application/json'), (b'Content-Length', b'548'), (b'Connection', b'keep-alive'), (b'Server', b'gunicorn/19.9.0'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Credentials', b'true')]
+Response Headers: Headers[(b'Date', b'Fri, 19 Jan 2024 10:17:44 GMT'), (b'Content-Type', b'application/json'), (b'Content-Length', b'735'), (b'Connection', b'keep-alive'), (b'Server', b'gunicorn/19.9.0'), (b'Access-Control-Allow-Origin', b'*'), (b'Access-Control-Allow-Credentials', b'true')]
 Response Body: {
   "args": {}, 
   "data": "", 
   "files": {}, 
   "form": {
-    "password": "dummyPassword", 
-    "username": "sampleUser"
+    "credit_card_number": "1234 5678 9012 3456", 
+    "email_address": "john.doe@example.com", 
+    "name": "John Doe", 
+    "phone_number": "+11234567890", 
+    "precise_location_latitude": "37.7749", 
+    "precise_location_longitude": "-122.4194"
   }, 
   "headers": {
     "Accept-Encoding": "gzip", 
-    "Content-Length": "42", 
+    "Content-Length": "188", 
     "Content-Type": "application/x-www-form-urlencoded", 
     "Host": "httpbin.org", 
     "User-Agent": "Dalvik/2.1.0 (Linux; U; Android 13; sdk_gphone64_arm64 Build/TE1A.220922.021)", 
-    "X-Amzn-Trace-Id": "Root=1-65a64778-78495e9f5d742c9b0c7a75d8"
+    "X-Amzn-Trace-Id": "Root=1-65aa4c48-45514c0e3782665063b14397"
   }, 
   "json": null, 
   "origin": "148.141.65.87", 
   "url": "https://httpbin.org/post"
-}
-
-
+}