Exposure of sensitive system information
Description
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Pages that provide different responses based on the validity of the data can lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application's design.
Examples
Insecure Code
scala
def getConfig(key: String) = { val config = play.api.Configuration(); config.underlying.getString(key) };
Ok(getConfig("secret_key"))Secure Code
scala
def getConfig(key: String) = { val config = play.api.Configuration(); config.underlying.getString(key).map(_.hashCode.toString) };
Ok(getConfig("secret_key"))Remediation
Use secure methods to handle sensitive data, such as encrypting or hashing it, and ensure that it is not exposed in the application's responses.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0077 |
| Category | Secrets |
| Severity | MEDIUM |
| CWE | CWE-497 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | information leakage, sensitive data exposure |
| OWASP | N/A |