Avoid exposing sensitive information
Summary
The application must not expose sensitive information in sections that are publicly accessible.
Description
Some applications have sections such as web pages and endpoints that are publicly exposed or do not require an initiated session to be accessed. These sections should contain neither sensitive corporate information nor users or employees personal data. Furthermore, corporate sensitive information should not be exposed on personal social network accounts either.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CAPECâ„¢-116. Excavation
- CWEâ„¢-200. Exposure of sensitive information to an unauthorized actor
- CWEâ„¢-359. Exposure of private personal information to an unauthorized actor
- ePrivacy Directive-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- OWASP TOP 10-A2. Cryptographic failures
- PA-DSS-9_1. Any web server and any cardholder data storage component are not required to be on the same server
- PDPA-6_24. Protection of personal data
- CMMC-AC_L1-3_1_22. Control public information
- HITRUST CSF-09_z. Publicly available information
- FedRAMP-AC-22. Publicly accessible content
- ISO/IEC 27002-8_1. User endpoint devices
- LGPD-7_X-3. Requirements for the Processing of Personal Data
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- WASC-A_34. Predictable resource location
- WASC-W_13. Information leakage
- FERPA-D_35_a_2. Conditions of prior consent required to disclose information
- FERPA-D_35_b_1. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)
- OWASP Top 10 Privacy Risks-P1. Web application vulnerabilities
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- OWASP ASVS-13_1_3. Generic web service security
- PCI DSS-1_4_5. Do not disclosure of internal IP addresses and routing information
- PCI DSS-6_5_5. Changes to all system components are managed securely
- OWASP API Security Top 10-API3. Broken Object Property Level Authorization
- ISO/IEC 27001-8_1. User endpoint devices
- CASA-13_1_3. Generic Web Service Security
- OWASP MASVS-PRIVACY-1. The app minimizes access to sensitive data and resources
Vulnerabilities
- 038.Business information leak
- 080.Business information leak - Customers or providers
- 213.Business information leak - JWT
- 214.Business information leak - Credentials
- 215.Business information leak - Repository
- 216.Business information leak - Source Code
- 217.Business information leak - Credit Cards
- 218.Business information leak - Network Unit
- 219.Business information leak - Redis
- 220.Business information leak - Token
- 221.Business information leak - Users
- 222.Business information leak - DB
- 223.Business information leak - JFROG
- 224.Business information leak - AWS
- 225.Business information leak - Azure
- 226.Business information leak - Personal Information
- 227.Business information leak - NAC
- 228.Business information leak - Analytics
- 229.Business information leak - Power BI
- 230.Business information leak - Firestore
- 291.Business information leak - Financial Information
- 336.Business information leak - Corporate information
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.