Pay-Per-Use Abuse
Disclosure of Secrets Pay-Per-Use Abuse
Overview of the Vulnerability
Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses sensitive data that could be used by an attacker to make repeated API requests on a user’s behalf without their knowledge. Additionally, if an attacker is able to chain this vulnerability with another, they could use their access to the API to escalate privileges on the application and its hosted environment.
Business Impact
Disclosure of secrets can lead to direct financial loss through an attacker making repeated requests to the API which are generally pay-per-use.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Observe that the following secret for the API is exposed:
{{screenshot}}
1 Send the following request to the endpoint:
{{request}}Observe the HTTP 200 OK success status response code
Proof of Concept (PoC)
The screenshot below displays the secrets disclosed:
{{screenshot}}
Recommendation(s)
It is recommended to encrypt sensitive data, including secrets, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
Last updated