// Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
| name | sast-data-exposure-testing |
| description | Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns. |
| allowed-tools | Read, Grep, Glob |
Investigate data exposure vulnerabilities by analyzing:
PII or secrets written to log files.
Dangerous Patterns:
# Logging sensitive data
logger.info(f"User login: {username}, password: {password}")
logger.debug(f"API response: {response.json()}") # May contain PII
print(f"Processing credit card: {card_number}")
Safe Patterns:
logger.info(f"User login: {username}")
logger.debug(f"API response status: {response.status_code}")
logger.info(f"Processing card ending in: {card_number[-4:]}")
API returns more data than necessary.
Dangerous Patterns:
@app.route('/api/user/<id>')
def get_user(id):
user = User.query.get(id)
return user.to_dict() # Returns ALL fields including password_hash, SSN, etc.
Safe Patterns:
def get_user(id):
user = User.query.get(id)
return {
'id': user.id,
'name': user.name,
'email': user.email
} # Only necessary fields
Stack traces or internal details exposed to users.
Dangerous Patterns:
except Exception as e:
return str(e), 500 # Exposes internal error details
return traceback.format_exc(), 500 # Full stack trace
Safe Patterns:
except Exception as e:
logger.error(f"Error: {e}", exc_info=True)
return {"error": "An internal error occurred"}, 500
PII exposed without proper controls.
Dangerous Patterns:
# Exposing PII in URLs
redirect(f"/profile?ssn={user.ssn}")
# Caching sensitive data
cache.set(f"user_{id}", user.to_dict()) # Includes PII
Search for logging statements:
Patterns: logger., logging., print(, console.log
log.info, log.debug, log.error
sentry, bugsnag, rollbar
Look for PII and sensitive fields:
Patterns: password, ssn, social_security
credit_card, card_number, cvv
email, phone, address
api_key, token, secret
Analyze what data is returned:
Patterns: return user, return .to_dict()
jsonify(, json.dumps(
response.json(), render_template
Check exception handling:
Patterns: except Exception, except:
traceback, exc_info
return str(e), raise
Use github_org_code_search to find:
TRUE_POSITIVE:
FALSE_POSITIVE:
UNVALIDATED:
### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL
### Evidence
- **Location**: file:line
- **Exposure Type**: Logging / API Response / Error / Cache
- **Data Exposed**: Type of sensitive data (PII, credentials, etc.)
- **Code**: Relevant code snippet (REDACT actual data)
### Impact
- What data could be exposed
- Who could access it
- Regulatory implications (GDPR, HIPAA, etc.)
### Recommendations
- [Specific fix with code example]
Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.
Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.
Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.
Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.