Security Test: Private data¶

Description¶

Default Severity:

The issue is that data meant to be private isn’t properly locked down, so even users who shouldn't see it can access it. This happens when configuration rules or access controls are misconfigured or applied incorrectly, allowing sensitive data to leak out. It's dangerous because attackers or anyone who stumbles upon the vulnerability can retrieve data they aren’t supposed to, which might lead to privacy breaches, identity theft, or other serious security problems. Developers often fall into the trap of relying solely on configuration files for security without additional safeguards or thorough testing, leaving private data exposed if those rules are flawed.

Reference:

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Configuration¶

Identifier: access_control/private_data

Examples¶

All configuration available:

checks:
  access_control/private_data:
    skip: false # default
    parameters:
      __user: # cf. Parameters below
      rules: # cf. Parameters below

REST: Ensure user some-user retrieve an admin user on a list of users at GET /users

checks:
  AccessControl_PrivateData:
    parameters:
      rules:
        - user: some-user
          routes:
            - method: GET
              path: /users
              pattern: ".*admin: true.*"

REST: Ensure user some-user cannot access the fields email with value @mycompany.com and role.group with value admin on route GET /users

checks:
  AccessControl_PrivateData:
    parameters:
      rules:
        - user: some-user
          routes:
            - method: GET
              path: /users
              fields: ["email"]
              pattern: "@mycompany.com"
            - method: GET
              path: /users
              fields: ["role.group"]
              pattern: "admin"

REST: Ensure user some-user cannot access a field admin-* on route GET /admin

checks:
  AccessControl_PrivateData:
    parameters:
      rules:
        - user: some-user
          routes:
            - method: GET
              path: /admin
              fields: ["admin-*"]
              pattern: ".*"

Parameters¶

Parameters can be set in the parameters key of the Security Test Configuration.

Property	Type	Default	Description
`__user`	`List[`ObjectRefUser1`]`		A list of `fieldName:[scalarValues]` the user should never be able to access. Set `.*` as `fieldName` to avoid the value everywhere.
`rules`	`List[`ObjectRefRules2`]`		(For REST) The list of private fields rules to check during a scan.

ObjectRefItems3¶

Property	Type	Default	Description
`fields`*	`List[string]`
`method`*	EnumRefMethod4
`path`*	`string`
`pattern`*	`string`

ObjectRefRules2¶

Property	Type	Default	Description
`routes`*	`List[`ObjectRefItems3`]`
`user`*	`string`

ObjectRefUser1¶

Property	Type	Default	Description
`additionalProperties`	`List[string]`		Additional properties are allowed

EnumRefMethod4¶

Value
`GET`
`POST`
`PUT`
`DELETE`
`PATCH`
`HEAD`
`OPTIONS`
`TRACE`
`CONNECT`

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API3:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`7.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-32`
ISO 27001	`A.18.1`
NIST	`SP800-53`
FedRAMP	`AC-3`
CWE	`200`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`5.1`