Credit card number disclosure

Medium Web Application Scanning Plugin ID 98129

Synopsis

Credit card number disclosure

Description

Credit card numbers are used in applications where a user is able to purchase
goods and/or services.

A credit card number is a sensitive piece of information and should be handled
as such. Cyber-criminals will use various methods to attempt to compromise credit
card information that can then be used for fraudulent purposes.

Through the use of regular expressions and CC number format validation using
known issuer numbers and luhn check validation, the scanner was able to
discover a credit card number located within the affected page.

Solution

Initially, the credit card number within the response should be checked to ensure its validity, as it is possible that the regular expression has matched on a similar number with no relation to a real credit card.
If the response does contain a valid credit card number, then all efforts should be taken to remove or further protect this information. This can be achieved by removing the credit card number altogether, or by masking the number so that only the last few digits are present within the response. (eg. _**********123_).
Additionally, credit card numbers should not be stored by the application, unless the organisation also complies with other security controls as outlined in the Payment Card Industry Data Security Standard (PCI DSS).

See Also

https://gist.github.com/1182499

Plugin Details

Severity: Medium

ID: 98129

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information