Categories: OWASP - Top 10

A6-Sensitive Data Exposure

Sensitive Data Exposure is difficult to exploit wheres prevalence and detect-ability is less common, but the impact is severe. Clearly if some sensitive data is leaked it will cause a severe fall out.

Here we have a user login’s into a website over HTTP which has no encryption, in this case attacker can get into the network and sniff the traffic which is also called as Man in the middle attack(MITM). Then attacker can clearly gain access to any of the data going over the connection.So they can easily retrieve user’s password, also the attacker can manipulate data sent over http.

Understanding Sensitive data Exposure

  1. Insufficient use of SSL (Login page with http,Mixed mode,Cookies not sent securely).
  2. Bad cryptography (Incorrect password usage,Weak algorithm,Poor protection of keys).
  3. Some other risks (Browser auto-complete,Disclosure via URL,Leaked logs).

Common Defences

  1. Minimize sensitive data collection(Reduce the window for storage).
  2. Apply HTTPS everywhere (Login pages and everything should be https).
  3. Use Cryptostorage for passwords (Use hash algorithms designed for password,Secure key Management).
AddThis Website Tools
Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

View Comments

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

11 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

11 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

11 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

11 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

11 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

11 hours ago