Sensitive Data Exposure: Are You Leaking Info?
A comprehensive guide to finding and fixing data leaks in your applications
Understanding Sensitive Data Exposure
Sensitive Data Exposure occurs when an application inadvertently exposes private information that could be used by attackers. Unlike data breaches that involve system intrusion, these exposures often happen through:
- Improper security configurations
- Insufficient encryption
- Debug information leaks
- Insecure API endpoints
Common Types of Sensitive Data Leaks
1. Unprotected Files and Directories
Common exposed files:
/.git/ /.env /config.json /backup.zip /phpinfo.php
2. API Data Leaks
Examples of sensitive data in API responses:
{
"user": {
"id": 123,
"email": "admin@example.com",
"password_hash": "5f4dcc3b5aa765d61d8327deb882cf99",
"api_key": "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6"
}
}
3. Debug Information
Accidental exposure of debug data:
DEBUG: Database connection failed Username: admin Password: P@ssw0rd123 Connection string: mysql://admin:P@ssw0rd123@localhost:3306/prod_db
Where to Look for Data Leaks
Data Exposure Checklist
Tools for Finding Data Leaks
| Tool | Purpose | Command/Usage |
|---|---|---|
| Burp Suite | Intercept and analyze traffic | Manual testing with Proxy/Scanner |
| GitTools | Extract data from exposed .git | ./gitdumper.sh http://example.com/.git/ ./output |
| dirsearch | Find exposed files/directories | python3 dirsearch.py -u http://example.com |
| Postman | API testing | Manual API endpoint testing |
| GF Patterns | Find secrets in files | gf -list | gf {pattern} | tee results.txt |
Testing Methodology
Step 1: Reconnaissance
- Identify all application endpoints
- Check for common file exposures
- Review HTTP headers and responses
Step 2: API Testing
- Test all API endpoints with different user roles
- Check for IDOR (Insecure Direct Object Reference)
- Verify data filtering works properly
GET /api/users/123 GET /api/users/124 GET /api/admin/users
Step 3: Error Handling Tests
Force error conditions to check for debug info leaks:
POST /login
Content-Type: application/json
{
"username": "' OR 1=1 --",
"password": "anything"
}
Common Vulnerable Patterns
1. Excessive Data in Responses
GET /api/user/me
Response:
{
"id": 123,
"username": "admin",
"email": "admin@example.com",
"password_reset_token": "a1b2c3d4...",
"last_login_ip": "192.168.1.100",
"billing_info": {
"credit_card_last4": "1234",
"address": "123 Main St"
}
}
2. Insecure File Permissions
http://example.com/uploads/profile_123.jpg http://example.com/uploads/invoice_456.pdf
Test sequential IDs and check for directory listing
3. Hardcoded Secrets
// config.js
module.exports = {
db_password: 'Sup3rS3cret!',
api_key: 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6',
encryption_key: 'ThisIsNotSecure'
}
Prevention and Mitigation
1. Data Classification
- Identify what constitutes sensitive data
- Implement different handling based on classification
2. Secure Coding Practices
- Never expose sensitive data in responses
- Implement proper error handling
- Use environment variables for secrets
3. Regular Audits
- Scan for secrets in code repositories
- Test API endpoints for data leaks
- Check file permissions regularly
Real-World Examples
Case 1: Exposed .git Directory
Attackers downloaded the entire source code including database credentials from an exposed .git directory.
Case 2: API Data Leak
A mobile app API returned full user records including password hashes and API keys for any authenticated user.
Case 3: Debug Mode in Production
A production application had debug mode enabled, exposing stack traces with database credentials.
Conclusion
Sensitive Data Exposure remains a critical security issue because:
- It often requires no exploitation – data is simply there for the taking
- The impact can be as severe as a full system breach
- It’s frequently overlooked in security testing
