Hardcoded Sensitive Data
Hardcoded Sensitive Data
Overview of the Vulnerability
Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has sensitive data that is hardcoded, such as API keys, credentials, or Personally Identifiable Information (PII). This hardcoded sensitive data can be used by an attacker to gain access to the application and escalate their privileges, which can lead to user account compromise and data exfiltration.
Business Impact
This vulnerability can lead to data exfiltration through the attacker’s ability to manipulate the application through their access to the hardcoded sensitive data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Capture the request using the HTTP interception proxy
Observe the hardcoded sensitive data exposed in the request / source code:
{{screenshot}}
Proof of Concept (PoC)
The following screenshot shows the hardcoded sensitive data:
{{screenshot}}
Recommendation(s)
It is recommended to not hardcode any sensitive data within the application. Sensitive data should be encrypted both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to the following guides relating to this vulnerability:
Last updated