Sensitive Data: High number of PII¶

Identifier: high_number_of_pii

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

When access control is not properly implemented, personally identifiable information (PII) can leak to the public, potentially leading to data breaches, financial loss, and legal penalties.

How we test: We scan responses to detect PII such as email addresses, phone numbers, social security numbers, and other personal identifiers. We count the number of PII instances found and alert if the count exceeds the configured threshold, indicating potential access control failures.

References:

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  high_number_of_pii:
    detection_threshold: 3
    skip: false

Reference¶

`detection_threshold`¶

Type : integer

Threshold to trigger alert if the number of values found.

`skip`¶

Type : boolean

Skip the test if true.