OWASP Top 3 – Sensitive Data Exposure

owasp top 3

OWASP Top 3 – Sensitive Data Exposure is ranked number three on the OWASP Top 10 list. This vulnerability covers a wide spectrum and hackers have a huge arsenal of tools and procedures they can use to exploit this vulnerability, for example:

MIMT attacks (hackers secretly re-transmit and disrupt communications between two parties to access confidential data)

Manual crawling of the website to find sensitive data exposed in the source code of the website.

Use of “Google Dorks” to scan all web pages indexed by Google to find information that gives them unauthorized access to technological resources.    

This vulnerability affects websites, Wi-Fi networks, and domain environments; therefore, the importance of running vulnerability assessments and penetration tests twice a year will increase the security of your network. We see companies that only ask for website penetration tests and do not focus on other Internet exposed services such as FTP, SSH, SMTP, TELNET, or IMAP, to name a few. It is common that the website could be sufficiently protected, but the vulnerability can reside in an insecure FTP service configured with an anonymous account without a password.

OWASP Top 3 – Anatomy of a Website Attack

There is an easy way to verify the prevalence of this vulnerability using a very simple example. Google Dorks is used as a hacking tool to find security holes in website settings. Remember, we are looking for exposed sensitive data. If we execute the following command in the Google search engine…

A few clicks on the results will show you the prevalence of this vulnerability and the number of usernames with their respective passwords. The same technique can be used to reference all types of platforms, databases, services, protocols, and configurations to find any type of information that allows unauthorized access to a specific system.

The only way to get rid of this vulnerability in your technology environment is to conduct a very deep assessment using advanced tools and scanners to find out if your website is exposing sensitive data. One of the problems is that automatic scanners alone do not find these types of vulnerabilities because they only focus on code. A hands-on penetration test is required to discover and remediate vulnerabilities like this one.

How can RedDefense Global help me to keep my databases and my corporate website safe?

RedDefense Global team will put your corporate websites and databases to the test. We use advanced scanners, manual penetration testing, and different techniques and procedures that may include crawling, rough tampering, code review, and folder permissions. We do all of this in coordination with your internal staff in charge of your information systems. These procedures are necessary to find out if the potential vulnerabilities are false positives or real vulnerabilities. If they are real vulnerabilities, we will provide you effective methods to patch, update or remove the vulnerability according to the situation to keep your environment secured.

SOLUTION AND PREVENTION

https://reddefenseglobal.com/services

Additional resources regarding this type of attack:

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html

https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

Vulnerabilities based on CWE Ranking:

CWE-220: Exposure of sens. information through data queries

CWE-310: Cryptographic Issues

CWE-311: Missing Encryption

CWE-312: Cleartext Storage of Sensitive Information

CWE-319: Cleartext Transmission of Sensitive Information

CWE-326: Weak Encryption

CWE-327: Broken / Risky Crypto

CWE-359: Exposure of Private Information (Privacy Violation)