Throughout every web application penetration test, experts check tons of various items, including hidden data. Consequently, many times during the testing and reviewing process of a web app there is often data that appears to be masked or blocked, invisible to the viewer. Yet, viewing the source code of the page reveals something completely different.
Shown below is the webpage in which users would assume that the SSN is masked or blocked:
However, viewing the members information allowed a user to reveal the member’s full Social Security Number (SSN) when our pentesters looked at the source code of the webpage.
By right-clicking on the webpage and inspecting the SSN element, it will allow the viewer to see that the full SSN is actually revealed (as shown below):
No company would want that type of sensitive information to get out, the recommendation that can be made to clients would be as followed:
Return only the last four digits of the social security number, masking the remainder of the social security number. The entire social security number may be securely stored on the server before processing.
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.
Read more from White Oak Security’s pentesting team.