Configurable Data Exposure Analyzer
Configuration Name: DataExposure
Description
The DataExposure
analyzer reports a finding when a response body contains a
field-value pair that matches user-specified patterns.
A pattern comprises two regular expressions - a field pattern to match
the field name and a value pattern to match its contents (refer to
Patterns). The DataExposure
analyzer reports a finding
whenever a field-value pair satisfies
both patterns. Patterns are configured in the Platform UI.
By default, DataExposure
analyzer only reports a finding when a pattern
matches in a response to an unauthenticated request. This behavior can be
changed by setting parameter reportAuthenticated
to true
.
Configuration Parameters
The DataExposure
analyzer has the following parameters.
patternsId
: ID of Patterns defined in the Platform.reportAuthenticated
: When true, a finding will be reported when a pattern is matched in a response to either an authenticated or unauthenticated request. By default, a finding is only reported for unauthenticated requests.
The DataExposure
analyzer may be included multiple times in a configuration
to specify patterns IDs.
testProfile:
analyzers:
- kind: DataExposure
patternsId: "00000000-0000-0000-0000-000000000011"
reportAuthenticated: true
- kind: DataExposure
patternsId: "00000000-0000-0000-0000-000000000022"
Faults Reported
Fault Identifier | Title | Summary | Solution | Severity |
---|---|---|---|---|
SDE-100 | Data Exposure in Response to Unauthenticated Request | A user-specified pattern matched in the response for an unauthenticated request. | Identify and classify applications that store sensitive and personally identifiable information (PII). Review all API operations that return such information to verify that the information is not exposed unnecessarily. | medium |
SDE-101 | Data Exposure in Response to Authenticated Request | A user-specified pattern matched in the response for an authenticated request. | Identify and classify applications that store sensitive and personally identifiable information (PII). Review all API operations that return such information to verify that the information is not exposed unnecessarily. | medium |