Credit card number disclosure

Medium Web Application Scanning Plugin ID 98129


Credit card number disclosure


Credit card numbers are used in applications where a user is able to purchase goods and/or services.

A credit card number is a sensitive piece of information and should be handled as such. Cyber-criminals will use various methods to attempt to compromise credit card information that can then be used for fraudulent purposes.

Through the use of regular expressions and CC number format validation using known issuer numbers and luhn check validation, the scanner was able to discover a credit card number located within the affected page.


Initially, the credit card number within the response should be checked to ensure its validity, as it is possible that the regular expression has matched on a similar number with no relation to a real credit card.
If the response does contain a valid credit card number, then all efforts should be taken to remove or further protect this information. This can be achieved by removing the credit card number altogether, or by masking the number so that only the last few digits are present within the response. (eg. _**********123_).
Additionally, credit card numbers should not be stored by the application, unless the organisation also complies with other security controls as outlined in the Payment Card Industry Data Security Standard (PCI DSS).

See Also

Plugin Details

Severity: Medium

ID: 98129

Type: remote

Published: 2017/03/31

Updated: 2017/10/16

Scan Template: api, scan, pci, overview

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information

CWE: 359