Credit card number disclosure
Medium Web Application Scanning Plugin ID 98129
SynopsisCredit card number disclosure
DescriptionCredit card numbers are used in applications where a user is able to purchase goods and/or services.
A credit card number is a sensitive piece of information and should be handled as such. Cyber-criminals will use various methods to attempt to compromise credit card information that can then be used for fraudulent purposes.
Through the use of regular expressions and CC number format validation using known issuer numbers and luhn check validation, the scanner was able to discover a credit card number located within the affected page.
SolutionInitially, the credit card number within the response should be checked to ensure its validity, as it is possible that the regular expression has matched on a similar number with no relation to a real credit card.
If the response does contain a valid credit card number, then all efforts should be taken to remove or further protect this information. This can be achieved by removing the credit card number altogether, or by masking the number so that only the last few digits are present within the response. (eg. _**********123_).
Additionally, credit card numbers should not be stored by the application, unless the organisation also complies with other security controls as outlined in the Payment Card Industry Data Security Standard (PCI DSS).