Sensitive Data Exposure is difficult to exploit wheres prevalence and detect-ability is less common, but the impact is severe. Clearly if some sensitive data is leaked it will cause a severe fall out.
Here we have a user login’s into a website over HTTP which has no encryption, in this case attacker can get into the network and sniff the traffic which is also called as Man in the middle attack(MITM). Then attacker can clearly gain access to any of the data going over the connection.So they can easily retrieve user’s password, also the attacker can manipulate data sent over http.
Understanding Sensitive data Exposure
- Insufficient use of SSL (Login page with http,Mixed mode,Cookies not sent securely).
- Bad cryptography (Incorrect password usage,Weak algorithm,Poor protection of keys).
- Some other risks (Browser auto-complete,Disclosure via URL,Leaked logs).
- Minimize sensitive data collection(Reduce the window for storage).
- Apply HTTPS everywhere (Login pages and everything should be https).
- Use Cryptostorage for passwords (Use hash algorithms designed for password,Secure key Management).