verifySSN: Area code can be larger than 740

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

7.86k stars 1.56k forks source link

verifySSN: Area code can be larger than 740 #2970

Open jakubsuchy opened 11 months ago

jakubsuchy commented 11 months ago

The United States Social Security Number area code used to startwith a number less than 740 bt this is no longer the case:

https://www.ssa.gov/history/ssn/geocard.html

There are now routinely SSNs with area code larger than 740.

https://github.com/SpiderLabs/ModSecurity/blob/60f802e4801c8a4fee8e2caac90462e53651971f/src/operators/verify_ssn.cc#L103

martinhsv commented 10 months ago

Hello @jakubsuchy ,

My skim of the documents suggests that the U.S. government is still not issuing numbers in the 900s. Should we perhaps consider including that in the if statement (instead of only rejecting '666')?

jakubsuchy commented 4 months ago

This doc says they now issue those I think: https://www.ssa.gov/employer/randomization.html

"Previously unassigned area numbers were introduced for assignment excluding area numbers 000, 666 and 900-999."