| name | sc-data-exposure |
| description | Sensitive data exposure detection — PII leaks, verbose errors, debug mode, and information disclosure |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Sensitive Data Exposure
Purpose
Detects sensitive data exposure including PII in logs, stack traces in production responses, debug mode enabled in production, sensitive data in URLs, source maps deployed to production, exposed .git directories, backup files, and excessive data in API responses. Focuses on data leaving the application boundary unintentionally.
Activation
Called by sc-orchestrator during Phase 2. Always runs.
Phase 1: Discovery
Keyword Patterns to Search
# Debug/verbose modes
"DEBUG = True", "debug: true", "NODE_ENV.*development",
"FLASK_DEBUG", "APP_DEBUG", "RAILS_ENV.*development",
"stackTrace", "stack_trace", "printStackTrace"
# PII in logs
"logger.*email", "log.*password", "console.log.*token",
"logging.*credit", "log.*ssn", "print.*secret"
# Sensitive data in URLs
"?token=", "?api_key=", "?password=", "?secret=",
"?access_token=", "?session="
# Information disclosure
".git/", "phpinfo()", "server_info", "X-Powered-By",
".env", "wp-config.php", "web.config", "application.properties"
# Source maps
".map", "sourceMappingURL", "//# sourceMappingURL"
# Verbose error responses
"res.status(500).send(err)", "return error.message",
"traceback.format_exc()", "e.getMessage()"
Vulnerability Patterns
1. Stack Trace in Production:
app.use((err, req, res, next) => {
res.status(500).json({ error: err.stack });
});
app.use((err, req, res, next) => {
console.error(err.stack);
res.status(500).json({ error: 'Internal server error' });
});
2. PII in Logs:
logger.info(f"User login: email={email}, password={password}")
logger.debug(f"Payment: card={card_number}, cvv={cvv}")
logger.info(f"User login: email={mask_email(email)}")
logger.debug(f"Payment: card=****{card_number[-4:]}")
3. Debug Mode in Production:
DEBUG = True
DEBUG = os.environ.get('DEBUG', 'False') == 'True'
4. Excessive Data in API Response:
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id)
.select('name email avatar');
res.json(user);
});
Severity Classification
- Critical: Production credentials in logs, PII bulk exposure, debug mode in production
- High: Stack traces revealing internals, .git exposure, sensitive API response data
- Medium: Source maps in production, verbose error messages, sensitive data in URLs
- Low: Server version headers, minor information disclosure
Output Format
Finding: EXPOSE-{NNN}
- Title: {Data exposure type}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-200 (Information Disclosure) | CWE-209 (Error Message Information Leak) | CWE-532 (Log File Information Disclosure)
- Description: {What sensitive data is exposed and through what channel}
- Impact: Privacy violation, credential theft, attack surface mapping.
- Remediation: {Redact sensitive data, disable debug mode, remove source maps, configure error handling}
- References: https://cwe.mitre.org/data/definitions/200.html
Common False Positives
- Debug mode with env check —
DEBUG = os.getenv('DEBUG') properly controlled by environment
- Log redaction in place — logging library configured to redact sensitive fields
- Development-only config — debug settings in files clearly scoped to development
- Test logging — verbose logging in test files
- Error handling middleware — custom error handler that catches and redacts before responding