Sensitive Data Exposure Vulnerability exists in a web application when it is poorly designed. It allow attacker to apply various security practices and find the sensitive data that is related to particular website. By Sensitive Data Exposure vulnerability, attackers may be able to find sensitive data such as session tokens, authentication credentials, databases etc. By such sensitive data an attacker will be able to exploit the web application and the security of website will be breached.
Is Web Application Vulnerable to Sensitive Data Exposure ?
As of now, we know the basic concept of Sensitive Data Exposure Vulnerability, but how to test our web application vulnerable to such type of vulnerability? In this article, we are going to discuss about the weak points that exist in a web application where vulnerability can be exploited by attackers.
- Clear Text Transmission: If there is clear transmission of data in background in a web application then there might be a risk of data exposure to the attacker. Example – clear transmission of text may includes the credentials of user.
- Cryptographic Algorithm: Old cryptographic algorithms that were used in old web apps might be a risk factor. There may be a chance that attackers could have bypass that algorithm and get access to sensitive data.
- Cryptographic Keys: Cryptographic keys always play a vital role in a web applications. If Cryptographic keys are not properly rotated or old & weak keys are used then in that case web application will be at risk of exposure of data.
- Encryption: Web application must enforce proper encryption techniques in order to prevent attacks and to safeguard the confidential information.
Following are some examples of the attack scenarios where an attacker may attack the web application in order to harm the data of the web application:
- Directory Busting: Directory busting or Directory Brute forcing is one of the main big vulnerability through which an attacker might be able to see the sensitive files that are being stored on a website server. There are several critical files that are stored on a web server in order to make smooth functioning of a website. While development and deployment of a web application, developer must keep this thing in mind to make these directories or files to be hidden or setting privacy to not accessible to public. Following are some most critical files that can be exploited by attackers if found publicly available on internet.
The list contains thousands of such critical files which an attacker can test against a website using some kind of tool like Dir search, Dir buster or Burp Suite.
- GitHub: GitHub is a famous for version controlling and software development. Millions and billions of codes are being hosted on GitHub in order to collaborate and work on it. As we all know, GitHub has public as well as private repositories. Now just imagine a case where the developer has uploaded a SQL data of a website on a GitHub Repo and forgot to make it private. This SQL Data is now visible to public through which an attacker might take an advantage could exploit the database of that particular web application.
For this, attackers have access to different tools although they can also do it manually by applying several filters. Automated tools include Git Grabber, Git hound, Git Rob, and many more.
So its really important to make the Web application secure in order to hide the sensitive information from attackers so that they cant use it to compromise the users as well as company’s security.
- Are Gmail Addresses Case Sensitive?
- How to use SQLMAP to test a website for SQL Injection vulnerability
- Broken Authentication Vulnerability
- Insecure Direct Object Reference (IDOR) Vulnerability
- Difference between Data Privacy and Data Security
- Difference between Data Privacy and Data Protection
- How to get YouTube video data by using YouTube data API and PHP ?
- PHP program to fetch data from localhost server database using XAMPP
- PHP | Data Types
- Maximum Data Rate (channel capacity) for Noiseless and Noisy channels
- Data types in TypeScript
- Data Compression With Arithmetic Coding
- Framing in Data Link Layer
- PHP | Serializing Data
- Synchronous Data Link Control (SDLC) Loop Operation
- Asynchronous serial data transfer
- Data encryption standard (DES) | Set 1
- Java Servlet and JDBC Example | Insert data in MySQL
- Shannon-Fano Algorithm for Data Compression
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.