Invisible Data in Web App Pentesting – Don’t Believe Everything You See

Throughout every web application penetration test, experts check tons of various items, including hidden data. Consequently, many times during the testing and reviewing process of a web app there is often data that appears to be masked or blocked, invisible to the viewer. Yet, viewing the source code of the page reveals something completely different.

Shown below is the webpage in which users would assume that the SSN is masked or blocked:

image shows a screenshot of a web application test where the page shows that the SSN is blocked or masked, but White Oak Security is here to reveal the hidden data.

However, viewing the members information allowed a user to reveal the member’s full Social Security Number (SSN) when our pentesters looked at the source code of the webpage.

By right-clicking on the webpage and inspecting the SSN element, it will allow the viewer to see that the full SSN is actually revealed (as shown below):

this screenshot shows the webpage that is supposed to mask the SSN actually is revealing the whole SSN in the page code

this screenshot shows the inspected page source code that is revealing the whole SSN to users

White Oak Remediation

No company would want that type of sensitive information to get out, the recommendation that can be made to clients would be as followed:

Return only the last four digits of the social security number, masking the remainder of the social security number. The entire social security number may be securely stored on the server before processing.

MORE FROM WHITE OAK SECURITY

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.