Personal Identification Number Exposure Analyzer
Configuration Name: SSNExposure
Description
The SSNExposure analyzer reports when an operation exposes a personal
identification number, e.g., a United States Social Security number (SSN). A
finding is reported when a response contains a value that is a string that
matches global personal identification number formats.
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-209 | Generation of Error Message Containing Sensitive Information | The software generates an error message that includes sensitive information about its users. | Ensure that error messages contain an appropriate description of the error without exposing internal details about the data managed by the application. Consider use of fixed error messages for kinds of errors that may occur. Avoid forwarding errors from other parts of the application. | low |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | Application response contains an personal identification number (e.g., Social Security number in United States), which may or may not be intended. | Verify whether a personal identification number was expected to be found in the response. Verify that the operation has proper access control such that that a user cannot access another user's personal information. | low |