Security Test: Data leak¶
Description¶
Default Severity:
When an API accidentally makes up its mind to share secrets, it's like leaving your house keys on the front door—attackers can easily find them and misuse them. Developers often inadvertently embed sensitive details, like private keys, tokens, or passwords, into their code and then forget to hide or remove them from the public part of the API. This vulnerability is dangerous because it lets malicious actors gain unauthorized access, potentially taking over systems or stealing data. Being careful with how and where sensitive information is stored can help avoid these high-stake slip-ups.
Reference:
Configuration¶
Identifier:
information_disclosure/data_leak
Examples¶
All configuration available:
checks:
information_disclosure/data_leak:
skip: false # default
options:
blacklist: # cf. Options below
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
blacklist | List[string] | List of elements to ignore. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API1:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.3 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |