Operations

What are operations?

Operations are different ways to navigate structured data and transform a piece of it by either redacting or replacing the value with a surrogate value.

Operations Examples

Most Common:

  • JSONPath (JSON)
  • XPath (XML)
  • Form
  • HTML / CSS
  • Regex

JSONPath

{"customer": [ {"name": "John Doe",
  "address_city": "Springfield",
  "address_country": "USA",
  "address_line1": "123 Main St.",
  "address_line2": null,
  "address_state": "CA",
  "address_zip": "99999",
  "credit_card": "4111111111111111",
  "card_exp": "9/23",
  "card_cvv": "123"}]
}

To redact the PCI data in this we would simply need to create two JSONPath Operations.

Nesting with JSONPath is fairly straight forward every level down you go in standard JSON is just $.toplevelkey.midlevelkey.finallevelkey if there are lists in between you select the item using the index (or can use a wildcard (*) for anything in the list). If you want to experiment with JSONPath check out this tool.

To redact the credit_card number. All we have to to do is select the key. With JSONPath selected as the operation, enter this snippet on the line next to it:

$.[0].credit_card

In advanced options you can select FPE_6_T_4 to keep the credit card format for mod 10/ Luhn validation.

To redact the CVV we need to store that in memory, not persistently. So, we add a “Add Entry”.

Do exactly the same thing but change JSONPath to:

$.[0].card_cvv

In advanced options we need to select Storage Volatile

Xpath

<?xml version="1.0" encoding="utf-8"?>
<soapenv:**_Envelope_** xmlns:soapenv="http://schp.org/e/" xmlns:xsd="http:rg/2chema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:**_Body_**>
        <**_AddCardResponse_** xmlns="">
            <ResponseCode>00</ResponseCode>
            <ResponseDesc>New Card Purchase Order Completed Successfully (932501******1238)</ResponseDesc>
            <**_NewCardNumber_**>
                    <Number>4111111111111111</Number>
                <ExpiryDate>092019</ExpiryDate>
            </NewCardNumber>
            <Balance>0.00</Balance>
            <TransId>F378</TransId>
            <CustomerId>3250033</CustomerId>
            <Fee>0.00</Fee>
            <ReferenceID>32513325</ReferenceID>
            <NameOnCard>Andrew </NameOnCard>
        </AddCardResponse>
    </soapenv:Body>
</soapenv:Envelope>

XPath can be used to navigate or search for a unique node.

//Number

To check XPath navigation use this tool.

Form

The last type of transformer in this guide is the Form operation. We just use the form field input names as the selector.

HTML form example:

<div class="creditCardForm">
    <div class="heading">
        <h1>Confirm Purchase</h1>
    </div>
    <div class="payment">
        <form action="https://<tenantid>.sandbox.verygoodproxy.com" method="post">
            <div class="form-group owner">
                <label for="owner">Owner</label>
                <input type="text" class="form-control" name="owner" id="owner">
            </div>
            <div class="form-group CVV">
                <label for="cvv">CVV</label>
                <input type="text" class="form-control" name="cvv" id="cvv">
            </div>
            <div class="form-group" id="card-number-field">
                <label for="cardNumber">Card Number</label>
                <input type="text" class="form-control" name="cardNumber" id="cardNumber">
            </div>
            <div class="form-group" name="expiration-date" id="expiration-date">
                <label>Expiration Date</label>
                <select>
                    <option value="01">January</option>
                    <option value="02">February </option>
                    <option value="03">March</option>
                    <option value="04">April</option>
                    <option value="05">May</option>
                    <option value="06">June</option>
                    <option value="07">July</option>
                    <option value="08">August</option>
                    <option value="09">September</option>
                    <option value="10">October</option>
                    <option value="11">November</option>
                    <option value="12">December</option>
                </select>
                <select>
                    <option value="16"> 2016</option>
                    <option value="17"> 2017</option>
                    <option value="18"> 2018</option>
                    <option value="19"> 2019</option>
                    <option value="20"> 2020</option>
                    <option value="21"> 2021</option>
                </select>
            </div>
            <div class="form-group" id="pay-now">
                <button type="submit" class="btn btn-default" id="confirm-purchase">Confirm</button>
            </div>
        </form>
    </div>
</div>

For forms, the “name” of the input field is all that’s required to replace with a surrogate value. If the Form is URL Encoded, make sure you enter the filters as they look decoded.

Select the “Form” transformer and just enter:

cardNumber

and under a new entry volatile storage for cvv

cvv 

HTML

You can select this transformer option to select data in HTML forms by using CSS selectors.

If you have used a JS library like Sizzle or jQuery you will already be familiar with these.

The simplest selectors allow you to match on

  • class names through a . e.g. .myClassName
  • an identifier via a # e.g. #myId
  • an attribute using a series of brackets, with a attribute name and optionally a value inside e.g. [attr=value]
  • an element type by simply typing the name of the element e.g. input

You can nest these selectors in order to achieve precise selection of data on the page e.g. #myId .myClassName will match the input element in the following section

<html>
  <body>
    <div id="myId">
      <span class="myClassName">
        Text that will be operated on
      </span>
    </div>
  </body>
</html>

Regex

If the above examples do not cover the type of selection you need then you can always fall back to a regex. VGS provides a series of named prefixes to help assist with complex matching. These are

  • prefix - Anything to match before
  • token - The data to match
  • suffix - Anything matched after

If these are omitted then anything matched by the regex in it’s entirety will be operated on.

Here are two examples

  • (\d{16}) - would operate on any 16 digit sequence
  • (?<prefix>foo)(?<token>\d{16})(?<suffix>\d{3}) - would operate on a 16 digit sequence prefixed with foo and suffixed with three digits e.g. foo1234567890123456123 would become footok_sandbox_asd123123 where the prefix is foo, the suffix is 123 and the 16 digit value 1234567890123456 is replaced with the value tok_sandbox_asd123

These examples cover the most common operation use cases.

If you have any questions or trouble please reach out on our site chat or contact support@verygoodsecurity.com.