Disclosure of Secrets for Internal Asset

Disclosure of Secrets for Internal Asset

Overview of the Vulnerability

Disclosure of secrets for internal assets occurs when sensitive data for the internal assets is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets.

Disclosure of secrets for this internal asset could be leveraged by an attacker to access the internal application or the environment where the application is hosted.

Business Impact

Disclosure of secrets for internal assets can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. This could happen through an insider threat, existing data breaches, or a malicious internal attacker escalating their privileges. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

Steps to Reproduce

  1. Setup a HTTP interception proxy, such as Burp Suite or OWASP ZAP

  2. Use a browser to navigate to: {{url}}/data/

  3. Intercept the response with the HTTP interception proxy

  4. Observe the disclosure of sensitive data in the response, as seen below:

{{screenshot}}

Proof of Concept (PoC)

The screenshots below show the full exploit:

{{screenshot}}

Recommendation(s)

It is recommended to encrypt sensitive data, including secrets, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.

Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.

For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere

PreviousData Traffic SpamNextStealing Secrets from Developers using Websockets

Last updated