Security Testing - Sensitive Data Exposure

As the online applications keep flooding the internet in day by day, not all applications are secured. Many web applications do not properly protect sensitive user data such as credit cards information/Bank account info/authentication credentials. Hackers might end up stealing those weakly protected data to conduct credit card fraud, identity theft, or other crimes.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

Example

Some of the classic examples of security misconfiguration are as given −

• A site simply does not use SSL for all authenticated pages. This enables an attacker to monitor network traffic and steal the user’s session cookie to hijack the users session or accessing their private data.

• An application stores the credit card numbers in an encrypted format in a database. Upon retrieval they are decrypted allowing the hacker to perform a SQL injection attack to retrieve all sensitive info in a clear text. This can be avoided by encrypting the credit card numbers using a public key and allowed back-end applications to decrypt them with the private key.

Hands ON

Step 1 − Launch WebGoat and navigate to "Insecure Storage" Section. Snapshot of the same is displayed below.

Step 2 − Enter the username and password. It is time to learn different kind of encoding and encryption methodologies that we discussed previously.

Preventive Mechanisms

• It is advised not to store sensitive data unnecessarily and should be scraped as soon as possible if it is no more required.

• It is important to ensure that we incorporate strong and standard encryption algorithms are used and proper key management is in place.

• It can also be avoided by disabling autocomplete on forms that collect sensitive data such as password and disable caching for pages that contain sensitive data.