Critically Sensitive Data Exposure
Critically Sensitive Data Exposure
Overview of the Vulnerability
Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This data exposure can be described as critically sensitive as its exposure would likely cause a high priority incident.
Business Impact
Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If a private API key is accessed and is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API.
This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Observe and copy the critical sensitive data that is exposed
Using the HTTP interception proxy, forward the following request:
{{request}}Verify that the critical sensitive data is valid and allows access to other data or functionality
Proof of Concept (PoC)
The screenshots below displays the password disclosed:
{{screenshot}}
Guidance
Your submission must include evidence of the vulnerability and not be theoretical in nature. Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full proof-of-concept (PoC).
For exposed critical sensitive data, please include a screenshot of both the critical sensitive data, as well as a screenshot from the HTTP interception proxy of the critical sensitive data being used successfully to perform an authenticated action or successful call to the API.
Recommendation(s)
It is recommended to encrypt sensitive data, including secrets, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
Last updated