Overview
- Bug Type:
- Sensitive data exposure
- Category:
- Security
Definition
Confidential data (PII, secrets, keys) is insufficiently protected in transit, at rest, or in logs.
How to fix Sensitive data exposure?
Encrypt in transit (modern TLS) and at rest; rotate and store secrets securely; redact logs; apply strong hashing (salted, memory-hard) for credentials
Symptoms
Observable signs that may indicate Sensitive data exposure:
- Secrets/PII appear in logs, URLs, client storage, or error messages.
- Weak or missing TLS; outdated ciphers; plaintext storage of sensitive data.
- Database dumps or backups accessible from public endpoints/buckets.
Example Errors:
- SSL: no shared cipher
- Warning: Using a deprecated hashing algorithm
- Access log contains Authorization header