Skip to content

Configurable Data Exposure Analyzer

Configuration Name: DataExposure

Description

The DataExposure analyzer reports a finding when a response body contains a field-value pair that matches user-specified patterns.

A pattern comprises two regular expressions - a field pattern to match the field name and a value pattern to match its contents (refer to Patterns). The DataExposure analyzer reports a finding whenever a field-value pair satisfies both patterns. Patterns are configured in the Platform UI.

By default, DataExposure analyzer only reports a finding when a pattern matches in a response to an unauthenticated request. This behavior can be changed by setting parameter reportAuthenticated to true.

Configuration Parameters

The DataExposure analyzer has the following parameters.

  • patternsId (required): ID of Patterns defined in the Platform.

  • reportAuthenticated (optional): When true, a finding will be reported when a pattern is matched in a response to either an authenticated or unauthenticated request. By default, a finding is only reported for unauthenticated requests.

  • findingTitle (optional): When present, set the title of the finding that is reported by the analyzer.

  • authenticatedFaultId (optional): When present, set the fault ID of the finding that is reported by the analyzer for a request with authentication credentials.
  • unauthenticatedFaultId (optional): When present, set the fault ID of the finding that is reported by the analyzer for a request without authentication credentials.
  • severity (optional): When present, set the severity of the finding that is reported by the analyzer. Acceptable strings: info, low, medium, high, critical.
  • reason (optional): When present, set the reason text of the finding that is reported by the analyzer.
  • remedy (optional): When present, set the remedy text of the finding that is reported by the analyzer.

The DataExposure analyzer may be included multiple times in a configuration to specify patterns IDs.

testProfile:
  analyzers:
    - kind: DataExposure
      patternsId: "00000000-0000-0000-0000-000000000011"
      reportAuthenticated: true
    - kind: DataExposure
      patternsId: "00000000-0000-0000-0000-000000000022"

Faults Reported

Fault Identifier Title Summary Solution Severity
SDE-100 Data Exposure in Response to Unauthenticated Request A user-specified pattern matched in the response for an unauthenticated request. Identify and classify applications that store sensitive and personally identifiable information (PII). Review all API operations that return such information to verify that the information is not exposed unnecessarily. medium
SDE-101 Data Exposure in Response to Authenticated Request A user-specified pattern matched in the response for an authenticated request. Identify and classify applications that store sensitive and personally identifiable information (PII). Review all API operations that return such information to verify that the information is not exposed unnecessarily. medium