OWASP A06 - Sensitive Data Exposure

Showing 9 articles

Showing 9 articles

#1

Information Leak Through Cookies



Cookies are used by web applications to store data in the browser. Cookies might be marked as persistent and stored for an extended period of time. An attacker might gain access to the drive that stor...

#2

Insufficiently Protected Credentials



An insufficiently protected credential weakness occurs when the application doesn't store or transmit the authentication credentials securely. If the passwords are not hashed and salted, an attacker m...

#3

Use of Hard-coded Cryptographic Key



Applications that use cryptography need a method for managing keys. One of the simplest ways to store the keys is to hard-code them into the application. However, this approach is not secure, because...

#4

Weak Cryptographic Hash



A weak cryptographic hash vulnerability occurs when the application uses a hashing algorithm that is considered to be less resistant to attack than the currently recommended algorithms, and/or the cho...

#5

Weak Encryption



Weak encryption vulnerabilities occur when weak encryption algorithms are used or encryption is not used properly. For encryption to work properly, strong and up-to-date cryptographic algorithms must...

#6

Insecure Transport



TLS should be used to protect any sensitive data in transit. Some applications don't use TLS even during authentication or when transmitting sensitive data, and an attacker might be able to intercept...

#7

Information Leakage



Information leakage is a blanket term for vulnerabilities that disclose either something about the system or some of the application data to unauthorized users. Information leak vulnerabilities result...

#8

System Information Leak



A system information leak occurs when either the application or the application server discloses information about the web application platform that might be useful to the attacker. Some examples of i...

#9

Information Exposure Through an Error Message



Information exposure through an error message occurs when an error message discloses sensitive information that might help an attacker. Typical examples include disclosing whether a username is valid...