Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for Information Leak - IBAN

HawkScan Test Info for Information Leak - IBAN

Information Leak - IBAN

Reference

Plugin Id: 100012 | CWE: 200

Remediation

To remediate the exposure of International Bank Account Numbers (IBANs) in HTTP responses:

  1. Remove or redact IBANs from responses: Ensure that IBANs are not included in HTTP response bodies. If IBANs must be displayed, show only the last 4 digits (e.g., “**1234”) or use masking techniques.

  2. Implement access controls: Restrict access to pages or API endpoints that contain financial information to authorized users only. Use strong authentication and authorization mechanisms.

  3. Audit data exposure: Review all API responses, web pages, HTML comments, JavaScript files, and error messages to identify and remove any exposed financial data.

  4. Use secure transmission: Always transmit financial data over HTTPS to prevent interception, though this does not address the fundamental issue of unnecessary exposure.

About

This scanner detects International Bank Account Numbers (IBANs) in HTTP response bodies. IBANs are international identifiers for bank accounts used in many countries, particularly in Europe. They consist of a 2-letter country code, 2 check digits, and 11-30 alphanumeric characters representing the bank and account details.

Exposing IBANs represents a significant privacy and security concern as they can be used to identify financial accounts and may facilitate unauthorized transactions or social engineering attacks. IBANs should be treated as sensitive financial information and protected accordingly.

Risks

The risks associated with IBAN disclosure include:

  • Financial fraud: Exposed IBANs can be used by attackers to initiate unauthorized transactions or direct debit fraud.

  • Privacy violation: IBANs are personal financial information protected under regulations like GDPR. Exposure may result in regulatory penalties.

  • Social engineering: Attackers can use exposed IBANs to craft convincing phishing attacks or impersonate legitimate financial institutions.

  • Account enumeration: Multiple exposed IBANs can reveal business relationships, customer lists, or organizational financial structure.