Sensitive Data Exposure

Vulnerability Category: A3- Sensitive Data exposure

Vulnerability Description: Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials.

Impact: Attacker will get access to compromised data which includes sensitive data such as health records, credentials, personal data, credit cards, etc.

Recommendation:

● Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.

● Make sure to encrypt all sensitive data at rest.

● Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security

● Disable caching for response that contain sensitive data.

Severity: Critical

CVSS v3.0 Score: 9.4

CVSS v3.0 Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

How to test:

● Check for sensitive data in cookie fields

● Tokens that are leaked publicly

● Passwords disclosed in JS files

● Access to the sensitive API calls without proper authorization

● PII and Health records publicly available

password database uses unsalted hashes

● Check for pages that contain sensitive information being cached

● Unencrypted communication on login pages

Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it

#infosec enthusiast, pentester