Sensitive Information Disclosure

Play Labs on this vulnerability with SecureFlag!

Sensitive Information Disclosure
1. Description
2. Impact
3. Scenarios
4. Prevention
5. Testing
6. References

Description

Sensitive Information Disclosure (also known as Sensitive Data Exposure) happens when an application does not adequately protect sensitive information that may wind up being disclosed to parties that are not supposed to have access to it.

Sensitive data can include application-related information, such as session tokens, file names, stack traces, or confidential information, such as passwords, credit card data, sensitive health data, private communications, intellectual property, metadata, the product’s source code, etc.

Whichever security flaw is causing the information to be disclosed, all aspects of all kinds of services are potentially at risk. Sensitive Information Disclosure can arise in databases, operating systems, and network devices. It is particularly occurrent in web applications, as highlighted in OWASP’s Top 10, which lists Sensitive Information Disclosure as part of the Insecure Design web application security risk of which to be aware.

Necessary privacy and security protection legislation and regulations are created and reworked to try to ensure that organizations holding sensitive data meet their obligations to safeguard such data. The European General Data Protection Regulation (GDPR) is one such law; the Payment Card Industry Data Security Standard (PCI DSS) is an example of regulation.

Impact

The scale of impact from a Sensitive Information Disclosure event is limited only by the type of sensitive information disclosed and a malicious actor’s ability to leverage it.

For example, the fallout could be as minor as a local pathname being disclosed in a stack trace, allowing a malicious actor to improve their knowledge of the target’s implementation details, right through to a full-blown data leak involving millions of customers’ confidential data.

Scenarios

One typical example is to permit an end user to receive the default error pages of the application server. This can expose the location on the file system of the file that caused the issue along with the precise version of the server itself, and the third-party components. Attackers can use this knowledge in a variety of ways, for example, to target well-known exploits in one particular version of a component.

A more severe scenario involves a web page rendering an error message from a SQL server for a failed query. If some parameter is in control of the attacker, a malicious actor could exploit this exposure to exfiltrate arbitrary data from the database by sending specially crafted queries.

There are countless technologies sat under the IT umbrella susceptible to this comprehensive vulnerability class; basically, anything not properly tied down containing even minimal information may become the prey of a determined malicious actor.

Prevention

Sensitive Information Disclosure is a symptom of poor security-control implementation in web applications. Preventing it requires developers to adhere to numerous, necessary industry best-practices in line with current regulations to increase the difficulty for the attacker.

Gracefully handle errors and avoid exposing internal stack traces, configuration values, or sensitive context in responses.
Ensure logs capture only what is necessary and are protected from unauthorized access.
Strip debug features, test credentials, sample data, and development-only endpoints from all production builds.
Never hardcode secrets in source code or repositories; inject them at runtime via environment variables or, preferably, managed secrets and configuration services.
Encrypt sensitive data in transit and at rest using approved cryptographic standards.
Add automated secret scanning and configuration checks to CI/CD pipelines to prevent leakage before deployment.
Classify all data by sensitivity, regulatory scope, and business impact, and reflect this classification in system architecture and data flows.

Testing

Ensure that data’s confidentiality is protected from unauthorized observation or disclosure.

OWASP ASVS: 14
OWASP Testing Guide: Review Webserver Metafiles for Information Leakage, Review Webpage Content for Information Leakage, Test File Extensions Handling for Sensitive Information, Review Old Backup and Unreferenced Files for Sensitive Information

References

OWASP - Top 10:2021 Insecure Design

CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor