sensitive_data_check
Detect sensitive data exposure in APIs by testing endpoints for vulnerabilities like authentication bypass, injection attacks, and data leakage.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| endpoint | Yes | API endpoint to test | |
| http_method | No | HTTP method to use | GET |
| request_body | No | Request body (for POST/PUT requests) | |
| use_auth | No | Whether to use current authentication if available |
Implementation Reference
- src/tools/dataLeakage.ts:19-109 (handler)The core handler function that performs HTTP requests to the specified endpoint (with optional auth), scans the response body, headers, and error details for sensitive data exposure using predefined regex patterns for PII, API keys, JWTs, passwords, stack traces, etc., collects findings by severity, and returns a formatted markdown report.async ({ endpoint, http_method, request_body, use_auth }) => { try { // Get auth headers if available and requested let headers = {}; if (use_auth) { const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); if (authState.type !== 'none' && authState.headers) { headers = { ...headers, ...authState.headers }; } } // Make the request const response = await axios({ method: http_method.toLowerCase(), url: endpoint, data: request_body ? JSON.parse(request_body) : undefined, headers, validateStatus: () => true, // Accept any status code }); // Check for data leakage in the response const responseBody = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const responseHeaders = response.headers; // Patterns to check for in the response const sensitivePatterns = [ // PII { type: "Email Address", regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g }, { type: "Phone Number", regex: /(\+\d{1,3}[- ]?)?\d{3}[- ]?\d{3,4}[- ]?\d{4}/g }, { type: "Social Security Number", regex: /\b\d{3}[-]?\d{2}[-]?\d{4}\b/g }, // Credentials and Tokens { type: "API Key", regex: /(api[_-]?key|apikey|access[_-]?key|auth[_-]?key)[\"']?\s*[=:]\s*[\"']?([a-zA-Z0-9]{16,})/gi }, { type: "JWT", regex: /eyJ[a-zA-Z0-9_-]{5,}\.eyJ[a-zA-Z0-9_-]{5,}\.[a-zA-Z0-9_-]{5,}/g }, { type: "Password", regex: /(password|passwd|pwd)[\"']?\s*[=:]\s*[\"']?([^\"']{3,})/gi }, // Internal Info { type: "Internal Path", regex: /(\/var\/www\/|\/home\/\w+\/|C:\\Program Files\\|C:\\inetpub\\)/gi }, { type: "SQL Query", regex: /(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP)\s+.+?(?=FROM|WHERE|VALUES|SET|TABLE)/gi }, { type: "Stack Trace", regex: /(Exception|Error):\s*.*?at\s+[\w.<>$_]+\s+\(.*?:\d+:\d+\)/s }, { type: "IP Address", regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g }, ]; // Check for sensitive data in response const findings = []; for (const pattern of sensitivePatterns) { const matches = responseBody.match(pattern.regex); if (matches && matches.length > 0) { findings.push({ type: pattern.type, occurrence: matches.length, examples: matches.slice(0, 3), // Show max 3 examples severity: getSeverity(pattern.type), }); } } // Check response headers const sensitiveHeaders = checkSensitiveHeaders(responseHeaders); // Check for error details const errorDetails = checkErrorDetails(response); // Add authentication info to the report const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); const authInfo = use_auth && authState.type !== 'none' ? `\nTest performed with authentication: ${authState.type}` : '\nTest performed without authentication'; return { content: [ { type: "text", text: formatFindings(findings, sensitiveHeaders, errorDetails, endpoint, authInfo), }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error checking for sensitive data exposure: ${(error as Error).message}`, }, ], }; } }
- src/tools/dataLeakage.ts:13-18 (schema)Zod schema defining input parameters for the sensitive_data_check tool: endpoint (required URL), http_method (default GET), optional request_body, use_auth (default true).{ endpoint: z.string().url().describe("API endpoint to test"), http_method: z.enum(["GET", "POST", "PUT", "DELETE"]).default("GET").describe("HTTP method to use"), request_body: z.string().optional().describe("Request body (for POST/PUT requests)"), use_auth: z.boolean().default(true).describe("Whether to use current authentication if available"), },
- src/tools/dataLeakage.ts:11-110 (registration)Direct registration of the 'sensitive_data_check' tool on the MCP server within registerDataLeakageTools function.server.tool( "sensitive_data_check", { endpoint: z.string().url().describe("API endpoint to test"), http_method: z.enum(["GET", "POST", "PUT", "DELETE"]).default("GET").describe("HTTP method to use"), request_body: z.string().optional().describe("Request body (for POST/PUT requests)"), use_auth: z.boolean().default(true).describe("Whether to use current authentication if available"), }, async ({ endpoint, http_method, request_body, use_auth }) => { try { // Get auth headers if available and requested let headers = {}; if (use_auth) { const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); if (authState.type !== 'none' && authState.headers) { headers = { ...headers, ...authState.headers }; } } // Make the request const response = await axios({ method: http_method.toLowerCase(), url: endpoint, data: request_body ? JSON.parse(request_body) : undefined, headers, validateStatus: () => true, // Accept any status code }); // Check for data leakage in the response const responseBody = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const responseHeaders = response.headers; // Patterns to check for in the response const sensitivePatterns = [ // PII { type: "Email Address", regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g }, { type: "Phone Number", regex: /(\+\d{1,3}[- ]?)?\d{3}[- ]?\d{3,4}[- ]?\d{4}/g }, { type: "Social Security Number", regex: /\b\d{3}[-]?\d{2}[-]?\d{4}\b/g }, // Credentials and Tokens { type: "API Key", regex: /(api[_-]?key|apikey|access[_-]?key|auth[_-]?key)[\"']?\s*[=:]\s*[\"']?([a-zA-Z0-9]{16,})/gi }, { type: "JWT", regex: /eyJ[a-zA-Z0-9_-]{5,}\.eyJ[a-zA-Z0-9_-]{5,}\.[a-zA-Z0-9_-]{5,}/g }, { type: "Password", regex: /(password|passwd|pwd)[\"']?\s*[=:]\s*[\"']?([^\"']{3,})/gi }, // Internal Info { type: "Internal Path", regex: /(\/var\/www\/|\/home\/\w+\/|C:\\Program Files\\|C:\\inetpub\\)/gi }, { type: "SQL Query", regex: /(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP)\s+.+?(?=FROM|WHERE|VALUES|SET|TABLE)/gi }, { type: "Stack Trace", regex: /(Exception|Error):\s*.*?at\s+[\w.<>$_]+\s+\(.*?:\d+:\d+\)/s }, { type: "IP Address", regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g }, ]; // Check for sensitive data in response const findings = []; for (const pattern of sensitivePatterns) { const matches = responseBody.match(pattern.regex); if (matches && matches.length > 0) { findings.push({ type: pattern.type, occurrence: matches.length, examples: matches.slice(0, 3), // Show max 3 examples severity: getSeverity(pattern.type), }); } } // Check response headers const sensitiveHeaders = checkSensitiveHeaders(responseHeaders); // Check for error details const errorDetails = checkErrorDetails(response); // Add authentication info to the report const authManager = AuthManager.getInstance(); const authState = authManager.getAuthState(); const authInfo = use_auth && authState.type !== 'none' ? `\nTest performed with authentication: ${authState.type}` : '\nTest performed without authentication'; return { content: [ { type: "text", text: formatFindings(findings, sensitiveHeaders, errorDetails, endpoint, authInfo), }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error checking for sensitive data exposure: ${(error as Error).message}`, }, ], }; } } );
- src/tools/index.ts:5-15 (registration)Imports and calls registerDataLeakageTools(server) as part of registerSecurityTools, which registers the sensitive_data_check among other tools.import { registerDataLeakageTools } from "./dataLeakage.js"; import { registerRateLimitingTools } from "./rateLimiting.js"; import { registerSecurityHeadersTools } from "./securityHeaders.js"; /** * Register all security testing tools with the MCP server */ export function registerSecurityTools(server: McpServer) { registerAuthenticationTools(server); registerInjectionTools(server); registerDataLeakageTools(server);
- src/index.ts:9-20 (registration)Main server entry point imports and calls registerSecurityTools(server), initiating the registration chain for all tools including sensitive_data_check.import { registerSecurityTools } from "./tools/index.js"; import { registerResources } from "./resources/index.js"; // Create an MCP server const server = new McpServer({ name: "CyberMCP", version: "0.2.0", description: "MCP server for cybersecurity API testing and vulnerability assessment" }); // Register all our security testing tools registerSecurityTools(server);
- src/tools/dataLeakage.ts:46-62 (helper)Array of sensitive data detection patterns (regex) used by the handler to scan responses for leaked information, categorized by type.const sensitivePatterns = [ // PII { type: "Email Address", regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g }, { type: "Phone Number", regex: /(\+\d{1,3}[- ]?)?\d{3}[- ]?\d{3,4}[- ]?\d{4}/g }, { type: "Social Security Number", regex: /\b\d{3}[-]?\d{2}[-]?\d{4}\b/g }, // Credentials and Tokens { type: "API Key", regex: /(api[_-]?key|apikey|access[_-]?key|auth[_-]?key)[\"']?\s*[=:]\s*[\"']?([a-zA-Z0-9]{16,})/gi }, { type: "JWT", regex: /eyJ[a-zA-Z0-9_-]{5,}\.eyJ[a-zA-Z0-9_-]{5,}\.[a-zA-Z0-9_-]{5,}/g }, { type: "Password", regex: /(password|passwd|pwd)[\"']?\s*[=:]\s*[\"']?([^\"']{3,})/gi }, // Internal Info { type: "Internal Path", regex: /(\/var\/www\/|\/home\/\w+\/|C:\\Program Files\\|C:\\inetpub\\)/gi }, { type: "SQL Query", regex: /(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP)\s+.+?(?=FROM|WHERE|VALUES|SET|TABLE)/gi }, { type: "Stack Trace", regex: /(Exception|Error):\s*.*?at\s+[\w.<>$_]+\s+\(.*?:\d+:\d+\)/s }, { type: "IP Address", regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g }, ];