Skip to content

Personal Identification Number Exposure Analyzer

Configuration Name: SSNExposure


The SSNExposure analyzer reports when an operation exposes a personal identification number, e.g., a United States Social Security number (SSN). A finding is reported when a response contains a value that is a string that matches global personal identification number formats.

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-209 Generation of Error Message Containing Sensitive Information The software generates an error message that includes sensitive information about its users. Ensure that error messages contain an appropriate description of the error without exposing internal details about the data managed by the application. Consider use of fixed error messages for kinds of errors that may occur. Avoid forwarding errors from other parts of the application. low
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Application response contains an personal identification number (e.g., Social Security number in United States), which may or may not be intended. Verify whether a personal identification number was expected to be found in the response. Verify that the operation has proper access control such that that a user cannot access another user's personal information. low