Skip to content

Data leak

Description

The API exposes sensitive data to the public, such as secrets, private keys, tokens, passwords, etc. This security check detects this sensitive data.

Remediation

  • If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
  • If the leak happens through another vulnerability, such as a Request Forgery, fix this issue to avoid further secret leaks.
  • Have your developers implement these best practices to avoid leaking secrets:
  • Inside logs: Keeping Sensitive Data Out of Logs
  • Inside commits: Pre-commit or Gitleaks
  • In the configuration, using an environment variable manager like Hashicorp Vault

GraphQL Specific

Apollo To address a data leak within the Apollo framework engine, ensure that all sensitive data is handled securely by implementing proper access controls, encrypting data at rest and in transit, and conducting regular security audits to identify and patch vulnerabilities. Additionally, utilize Apollo's built-in features for privacy, such as private schema fields, and adhere to best practices for API security.
Yoga To address the data leak issue within the Yoga framework engine, ensure that all sensitive data is encrypted both at rest and in transit. Implement access controls and audit logs to monitor data access. Regularly update the framework to the latest version to patch any security vulnerabilities. Additionally, conduct thorough security assessments and code reviews to identify and mitigate potential data exposure points.
Awsappsync To mitigate data leaks in AWS AppSync, ensure that all GraphQL queries and mutations are properly authenticated and authorized. Implement fine-grained access control using AWS Identity and Access Management (IAM) and Amazon Cognito. Regularly audit your API configurations and access patterns, and encrypt sensitive data both at rest and in transit using AWS encryption services. Additionally, enable logging and monitoring with AWS CloudTrail and Amazon CloudWatch to detect and respond to any unauthorized access or anomalies.
Graphqlgo To mitigate data leaks in a GraphQL Go framework engine, ensure that all sensitive fields are properly secured and that access control policies are in place to restrict unauthorized access. Implement field-level security to limit exposure of data based on user roles and permissions. Regularly audit your GraphQL schema and resolvers for potential vulnerabilities, and use query complexity analysis to prevent abusive queries. Additionally, consider using a GraphQL security library or middleware that provides features such as depth limiting, amount limiting, and introspection disabling to further protect against data leaks.
Graphqlruby To mitigate data leaks in the GraphQL Ruby framework, ensure that proper authentication and authorization checks are in place before allowing access to sensitive data. Implement field-level permissions to control access to specific parts of your schema. Use the graphql-guards gem to easily define policies for your GraphQL fields. Additionally, consider rate limiting to prevent excessive requests that could lead to data exposure. Regularly audit your GraphQL queries and mutations for potential vulnerabilities and apply the principle of least privilege when assigning data access to different roles.
Hasura To mitigate data leaks in the Hasura framework, ensure that all GraphQL queries are properly authenticated and authorized. Implement role-based access control (RBAC) to restrict data access based on user roles. Regularly audit your access control policies and review logs to detect any unauthorized access. Additionally, use environment variables for sensitive information instead of hardcoding them in the application code or configuration files. Keep the Hasura engine and all dependencies up to date with the latest security patches.
Agoo Ensure that sensitive data is not exposed by the Agoo framework engine by implementing strict access controls, encrypting sensitive information, and regularly auditing API endpoints for data leaks.
Ariadne Implement access controls and data masking in the Ariadne framework to prevent exposure of sensitive information through the API.
Caliban Implement access controls and data masking to prevent exposure of sensitive information in the Caliban framework engine.
Dgraph Implement access controls and encryption to protect sensitive data in the Dgraph framework, ensuring that only authorized users can access it.
Dianajl Implement access controls and encryption to secure sensitive data in the DianaJL framework engine, ensuring that API endpoints do not expose secrets, private keys, tokens, or passwords to unauthorized users.
Directus Implement strict access controls and environment-specific configurations to ensure sensitive data is not exposed through the Directus API. Regularly audit and rotate secrets, and use environment variables to manage sensitive information securely.
Flutter Implement secure storage solutions to protect sensitive data in the Flutter framework, such as using the flutter_secure_storage package to securely store keys, tokens, and passwords.
Graphene Implement middleware to sanitize and validate all inputs and outputs, ensuring no sensitive data is exposed through the GraphQL API.
Graphqlapiforwp Implement access controls and authentication mechanisms to ensure that only authorized users can access sensitive data through the GraphQL API in the WP Engine framework. Additionally, regularly audit and sanitize the data exposed by the API to prevent unintentional leaks of secrets, private keys, tokens, and passwords.
Graphqlgophergo Implement access controls and validation checks in the GraphQLGopherGo framework to ensure sensitive data is not exposed through the API. Regularly audit and sanitize inputs and outputs to prevent accidental data leaks.
Graphqljava Implement access control checks in your GraphQL resolvers to ensure that only authorized users can access sensitive data. Additionally, use environment variables to store secrets and configure your GraphQL server to prevent introspection queries in production.
Graphqlphp Implement access control checks and validation rules in your GraphQL schema to ensure that sensitive data is not exposed. Additionally, use environment variables to manage secrets and avoid hardcoding them in your codebase.
Graphqlyoga Implement authentication and authorization mechanisms to restrict access to sensitive data in the GraphQL Yoga framework. Ensure that sensitive fields are not exposed in the schema and use environment variables to manage secrets securely.
Hypergraphql Implement access controls and data filtering to ensure sensitive information is not exposed through the HyperGraphQL API.
Jaal Implement access controls and encryption to secure sensitive data exposed by the Jaal framework engine.
Juniper Implement access controls and encryption to secure sensitive data in the Juniper framework engine, ensuring that only authorized users can access it.
Lacinia Implement access controls and data masking in the Lacinia framework to prevent exposure of sensitive data through the API.
Lighthouse Ensure that sensitive data is not exposed through the API by implementing proper access controls, encrypting sensitive information, and regularly auditing API endpoints for data leaks.
Mercurius Implement access controls and data filtering in Mercurius to ensure sensitive data is not exposed through GraphQL queries. Use schema directives to restrict access to sensitive fields and validate incoming requests to prevent unauthorized data exposure.
Morpheusgraphql Implement access controls and authentication mechanisms to restrict API access, and ensure sensitive data is encrypted and not exposed in responses.
Qglgen Implement input validation and output encoding to prevent data leaks in gqlgen by ensuring that sensitive data is not exposed through GraphQL queries and responses.
Sangria Implement access control measures and ensure sensitive data is not exposed through the API by using proper authorization checks and data filtering in the Sangria GraphQL framework.
Shopify Ensure that all API endpoints in the Shopify framework are secured by implementing proper authentication and authorization checks, and avoid exposing sensitive data such as API keys, tokens, and passwords in public responses.
Stepzen Implement access controls and environment variable management in StepZen to ensure sensitive data like secrets, private keys, and tokens are not exposed through the API. Regularly audit and update configurations to maintain security.
Strawberry Implement access controls and data masking to prevent exposure of sensitive information in the Strawberry framework's API responses.
Tartiflette Implement access controls and data validation in the Tartiflette engine to ensure sensitive data is not exposed through the API. Regularly audit and sanitize data outputs to prevent leaks of secrets, private keys, tokens, and passwords.
Wpgraphql Ensure that sensitive data is not exposed through the WPGraphQL API by implementing proper access controls and authentication mechanisms. Regularly audit and review the API schema to identify and secure any fields that may inadvertently expose sensitive information.

REST Specific

Asp_net Implement proper access controls and ensure sensitive data is encrypted both in transit and at rest. Utilize ASP.NET's built-in features such as the Secure Socket Layer (SSL) for data in transit and the Data Protection API for encrypting sensitive data at rest. Regularly audit your API endpoints for unintended data exposure and adhere to the principle of least privilege when assigning permissions.
Ruby_on_rails In Ruby on Rails, ensure that sensitive data is not included in the output of APIs by using strong parameters to whitelist only the necessary attributes for exposure. Additionally, configure the application to use environment variables or encrypted secrets management for handling confidential information, and never hardcode sensitive data within the codebase. Regularly audit your code and dependencies for vulnerabilities that could lead to data exposure.
Next_js Ensure that sensitive data is not included in the API responses or client-side code. Use environment variables and server-side logic to handle secrets, and never expose them to the frontend. Implement proper access controls and audit logs to monitor data access.
Laravel Ensure that sensitive data is not included in API responses. Review the code to remove any direct references to private keys, tokens, or passwords. Use Laravel's built-in functions to secure environment variables and leverage access control mechanisms to protect API endpoints. Implement proper logging to detect any unauthorized access attempts.
Express_js Ensure that all sensitive data is properly encrypted and that API endpoints are secured with authentication and authorization checks. Implement environment variables to store secrets and use middleware like 'helmet' to set security-related HTTP headers. Regularly audit your code and dependencies for vulnerabilities.
Django Ensure that Django's DEBUG mode is set to False in production to prevent the exposure of sensitive information. Use environment variables or a secure key management system to handle secrets and credentials. Regularly audit your code and use tools like Django's built-in 'check' framework to detect potential data leaks. Implement proper access controls and permissions for API endpoints.
Symfony In the Symfony framework, ensure that all sensitive data is properly secured by using environment variables for storing secrets and access credentials. Utilize the 'dotenv' component for local environments and secure production secrets with a vault service or server environment variables. Implement access controls and use Symfony's 'secrets' management for sensitive values. Regularly audit your codebase to ensure that no sensitive data is hard-coded or exposed through APIs. Additionally, employ HTTPS and proper authentication mechanisms to protect data in transit.
Spring_boot Ensure that sensitive data is not logged or exposed in API responses. Use environment variables or a secure vault service to manage secrets, and implement proper access controls and encryption for data in transit and at rest. Regularly audit your code and use automated tools to detect potential leaks. Update your Spring Boot application properties to exclude sensitive information from being exposed and configure proper logging levels to prevent accidental leaks.
Flask Ensure that Flask endpoints handling sensitive data implement proper access controls and do not return confidential information in responses. Use environment variables or secure storage solutions to manage secrets, and never hardcode them in the source code. Regularly audit your code and use tools like static analyzers to detect accidental exposure of sensitive data.
Nuxt Ensure that all sensitive data is stored in environment variables and not hardcoded in the application code. Use .env files for local development and secure secret management systems for production. Additionally, implement proper access controls and audit logs to monitor access to sensitive data. Regularly review and update API endpoints to ensure they do not inadvertently expose sensitive information.
Fastapi Ensure that all sensitive data is properly encrypted and that API endpoints are secured with authentication and authorization checks. Implement environment variables for storing secrets and use FastAPI's dependency injection system to manage security configurations. Regularly audit your code and dependencies for vulnerabilities.
Frappe Ensure that sensitive data is not exposed by implementing access controls and using environment variables to manage secrets securely in the Frappe framework.
Genzio Ensure that the Genzio framework engine is configured to restrict access to sensitive data by implementing proper authentication and authorization mechanisms, and regularly audit the API endpoints to prevent exposure of secrets, private keys, tokens, and passwords.
Gin Implement middleware to sanitize and validate all incoming and outgoing data to prevent exposure of sensitive information in the Gin framework.
Gorilla Implement access controls and data masking to prevent exposure of sensitive information through the API.
Hapi Implement Hapi's built-in validation and authentication mechanisms to ensure sensitive data is not exposed through the API. Use environment variables to store secrets and configure Hapi to access them securely.
Hono Implement access controls and encryption to secure sensitive data exposed by the API in the Hono framework.
Jersey Ensure sensitive data is not exposed by configuring proper access controls and using encryption for sensitive information in the Jersey framework.
Koa Implement middleware in the Koa framework to sanitize and validate all incoming and outgoing data, ensuring that sensitive information is not exposed or logged inadvertently.
Ktor Implement proper authentication and authorization mechanisms to restrict access to sensitive endpoints and ensure that sensitive data is not exposed through the API. Additionally, review and sanitize all data outputs to prevent accidental leakage of secrets, private keys, tokens, and passwords.
Leptos Implement access controls and data encryption to prevent unauthorized exposure of sensitive information in the Leptos framework.
Macaron Implement middleware to sanitize and validate all incoming and outgoing data to prevent exposure of sensitive information in the Macaron framework.
Phoenix Ensure sensitive data is not exposed by using Phoenix's configuration files to securely manage secrets and environment variables. Utilize libraries like `dotenv` or `config.exs` to handle sensitive information, and ensure that these files are not included in version control.
Redwoodjs Ensure that sensitive data is not exposed in RedwoodJS by using environment variables for secrets and configuring API routes to restrict access. Regularly audit your codebase for any hardcoded sensitive information and utilize RedwoodJS's built-in security features to protect your application.
Rocket Implement access controls and data encryption to prevent unauthorized exposure of sensitive information in the Rocket framework engine.
Sveltekit Implement environment variables in SvelteKit to securely store and access sensitive data, ensuring that secrets, private keys, tokens, and passwords are not exposed in the codebase or public API responses.

Configuration

Identifier: information_disclosure/data_leak

Options

  • blacklist : List of elements to ignore.

Examples

Ignore this check

checks:
  information_disclosure/data_leak:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API1:2023
  • OWASP LLM: LLM06:2023
  • pci: 3.4
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 200

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References