Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for Information Leak - Email Address

HawkScan Test Info for Information Leak - Email Address

Information Leak - Email Address

Reference

Plugin Id: 100009 | CWE: 311

Remediation

To remediate email address disclosure in HTTP responses:

  1. Remove or obfuscate email addresses: Replace email addresses with contact forms, support ticket systems, or obfuscated versions (e.g., “user [at] example [dot] com”).

  2. Implement access controls: Restrict access to pages containing email addresses to authenticated users only. Use role-based access control to limit who can view contact information.

  3. Audit response bodies: Review all HTTP responses including:
    • HTML pages and content
    • JavaScript files
    • JSON/XML API responses
    • Error messages and stack traces
    • HTTP headers
    • HTML comments
  4. Use alternative contact methods: Implement contact forms that don’t expose email addresses, or use protected email display mechanisms that require user interaction.

About

This scanner detects email addresses in HTTP response bodies using pattern matching. Email addresses are considered sensitive information as they can be used for spam, phishing attacks, social engineering, or account enumeration.

The scanner identifies standard email formats including:

  • Simple addresses (user@example.com)
  • Gmail-style aliases (user+tag@example.com)
  • Addresses with dots and hyphens (first.last@example.com)

While email addresses may seem innocuous, their exposure increases the attack surface for social engineering, targeted phishing campaigns, and privacy violations. Organizations should carefully consider which email addresses need to be public and implement appropriate protections.

Risks

The risks associated with email address disclosure include:

  • Spam and phishing: Exposed email addresses become targets for spam campaigns and phishing attacks.

  • Social engineering: Attackers can use email addresses to craft convincing phishing emails or impersonate employees.

  • Account enumeration: Email addresses may reveal valid user accounts, facilitating brute force or credential stuffing attacks.

  • Privacy violation: Email addresses are personal data protected under regulations like GDPR and CCPA. Unnecessary exposure may result in compliance violations.

  • Reconnaissance: Email patterns can reveal organizational structure, naming conventions, and employee roles.