A3 Sensitive Data Exposure

Sensitive Data Exposure

Description:

Sensitive data exposure, vulnerability occurs when a web application fails to adequately protect sensitive information from being revealed to illegitimate users.

Many web applications do not properly protect sensitive user data such as credit cards information/Bank account info/authentication credentials. Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

Example Attack Scenarios:

Example #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Alternatives include not storing credit card numbers, using tokenization, or using public key encryption.

Example #2: A site simply doesn’t use TLS for all authenticated pages. An attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. The attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.

Example #3: The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password database. All of the unsalted hashes can be exposed with a rainbow table of recalculated hashes.


Prevention's:

  1.  Encrypt the data and define accessibility:
It is crucial to encrypt the data, information whether in stored or transit form. Data in the form of open text are a downright invitation for the attackers. Identify the data that requires extra protection and limit the accessibility to only a bunch of legitimate users only by enforcing key based encryption.

 2.  Secure authentication gateways: 
Use the advanced standard security technology like SSL or TSL to ensure that all the data passed between the browser and the web server is encrypted and remains private. Use Https connection to secure data.

3.  Prevent password attacks: 
Penetration because of weak passwords is the most common type of security breach. Make sure to use a strong password by applying a password hashing function algorithm. Keep changing the password within month or 2 month.

4. Conduct regular risk assessment: 
Risk levels and liabilities may alter with the change of business processes. It is necessary to periodically monitor and update the security system to counter any potential threat.

5 .  Have a backup plan: 
In the case of a theft, maximum loss occurs because of the absence of any backup. Keeping a protected and secure backup of the sensitive data can help mitigate these losses.


NOTE: Information showing on this blog use for only educational purpose.