Avoid exposing sensitive information

Summary

The application must not expose sensitive information in sections that are publicly accessible.

Description

Some applications have sections such as web pages and endpoints that are publicly exposed or do not require an initiated session to be accessed. These sections should contain neither sensitive corporate information nor users or employees personal data. Furthermore, corporate sensitive information should not be exposed on personal social network accounts either.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🔴
Squad	🟢

References

• CAPEC™-116. Excavation
• CWE™-200. Exposure of sensitive information to an unauthorized actor
• CWE™-359. Exposure of private personal information to an unauthorized actor
• ePrivacy Directive-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP TOP 10-A2. Cryptographic failures
• PA-DSS-9_1. Any web server and any cardholder data storage component are not required to be on the same server
• PDPA-6_24. Protection of personal data
• CMMC-AC_L1-3_1_22. Control public information
• HITRUST CSF-09_z. Publicly available information
• FedRAMP-AC-22. Publicly accessible content
• ISO/IEC 27002-8_1. User endpoint devices
• LGPD-7_X-3. Requirements for the Processing of Personal Data
• WASSEC-6_2_5_2. Information disclosure - Information leakage
• WASC-A_34. Predictable resource location
• WASC-W_13. Information leakage
• FERPA-D_35_a_2. Conditions of prior consent required to disclose information
• FERPA-D_35_b_1. Conditions of prior consent required to disclose information
• NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)
• OWASP Top 10 Privacy Risks-P1. Web application vulnerabilities
• OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
• OWASP ASVS-13_1_3. Generic web service security
• PCI DSS-1_4_5. Do not disclosure of internal IP addresses and routing information
• PCI DSS-6_5_5. Changes to all system components are managed securely
• OWASP API Security Top 10-API3. Excessive Data Exposure
• ISO/IEC 27001-8_1. User endpoint devices
• CASA-13_1_3. Generic Web Service Security

Vulnerabilities

• 038. Business information leak
• 080. Business information leak - Customers or providers
• 213. Business information leak - JWT
• 214. Business information leak - Credentials
• 215. Business information leak - Repository
• 216. Business information leak - Source Code
• 217. Business information leak - Credit Cards
• 218. Business information leak - Network Unit
• 219. Business information leak - Redis
• 220. Business information leak - Token
• 221. Business information leak - Users
• 222. Business information leak - DB
• 223. Business information leak - JFROG
• 224. Business information leak - AWS
• 225. Business information leak - Azure
• 226. Business information leak - Personal Information
• 227. Business information leak - NAC
• 228. Business information leak - Analytics
• 229. Business information leak - Power BI
• 230. Business information leak - Firestore
• 291. Business information leak - Financial Information
• 336. Business information leak - Corporate information

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.