Non-Corporate User
Disclosure of Secrets for Non-Corporate User
Overview of the Vulnerability
Disclosure of secrets occurs when the data is not properly secured. When secrets are exposed it can place the application at further risk of compromise. This application discloses secrets for a non-corporate user which can be leveraged by an attacker to access the application and make requests on the legitimate user’s behalf.
Business Impact
Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
Steps to Reproduce
Navigate to the following URL: {{URL}}
Observe the following secret for a non-corporate user was revealed:
{{value}}
Proof of Concept (PoC)
The screenshots below displays the secrets disclosed:
{{screenshot}}
Recommendation(s)
It is recommended to encrypt sensitive data, including secrets, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
Last updated