Forum Discussion
ramann_75062
Nimbostratus
NimbostratusDisable Credit Card Number Check for a parameter
Hi@all,
in some pages, a session id is included in the HTML code or in the URL.
Examples:
name="id" value="ABC376151241604674X" />
OR
/customer.dll?id=ABC376151241604674X&fun=customer&a
Now we have the problem, that the ASM mark them as "Information leakage detected"
Is there a way to exclude this parameter from this kind of check?
Thanks
Bjoern
1 Reply
- Hey Bjoern,
There isn't really a way to exclude a single parameter, per se, especially in versions prior to version 10.0.0. In 9.4.x versions you may be able to disable the system's default 'Credit Card Numbers' check and then craft your own with a negative lookbehind and expressions to match CC numbers. Of course, there may be more expressions to match CCNs in the default bundle that you can dig up published around, but that is the only method I can fathom to do this prior to version 10.
For more info on lookarounds, check here:
http://www.perl.com/doc/manual/html/pod/perlre.html
In version 10 and later, though, there are "Exception Patterns" which you can use to create patterns to allow, rather than trying to recreate the default bundle of CCN expressions - each with the lookbehind exception applied to it. This is probably the more graceful (not to mention secure) solution. An exception pattern to match the "customer.dll?id=" string and another to match the 'name="id" value="' string should let these instances through.
Cheers!
// Ben
