OWASP A06 - Sensitive Data Exposure

Showing 9 articles

Showing 9 articles


Information Leak Through Cookies

Cookies are used by web applications to store data in the browser. Cookies might be marked as persistent and stored for an extended period of time. An attacker might gain access to the drive that stor...


Insufficiently Protected Credentials

An insufficiently protected credential weakness occurs when the application doesn't store or transmit the authentication credentials securely. If the passwords are not hashed and salted, an attacker m...


Use of Hard-coded Cryptographic Key

Applications that use cryptography need a method for managing keys. One of the simplest ways to store the keys is to hard-code them into the application. However, this approach is not secure, because...


Weak Cryptographic Hash

A weak cryptographic hash vulnerability occurs when the application uses a hashing algorithm that is considered to be less resistant to attack than the currently recommended algorithms, and/or the cho...


Weak Encryption

Weak encryption vulnerabilities occur when weak encryption algorithms are used or encryption is not used properly. For encryption to work properly, strong and up-to-date cryptographic algorithms must...


Insecure Transport

TLS should be used to protect any sensitive data in transit. Some applications don't use TLS even during authentication or when transmitting sensitive data, and an attacker might be able to intercept...


Information Leakage

Information leakage is a blanket term for vulnerabilities that disclose either something about the system or some of the application data to unauthorized users. Information leak vulnerabilities result...


System Information Leak

A system information leak occurs when either the application or the application server discloses information about the web application platform that might be useful to the attacker. Some examples of i...


Information Exposure Through an Error Message

Information exposure through an error message occurs when an error message discloses sensitive information that might help an attacker. Typical examples include disclosing whether a username is valid...