Data leak

Description

The API exposes sensitive data to the public, such as secrets, private keys, tokens, passwords, etc. This security check detects this sensitive data.

Remediation

• If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
• If the leak happens through another vulnerability, such as a Server-Side Request Forgery, fix this issue to avoid further secret leaks.
• Have your developers implement these best practices to avoid leaking secrets: -Inside logs: Keeping Sensitive Data Out of Logs. -Inside commits: Pre-commit or Gitleaks. -In the configuration, using an environment variable manager like Hashicorp Vault.

GraphQL Specific

Apollo

To address a data leak within the Apollo framework engine, ensure that all sensitive data is handled securely by implementing proper access controls, encrypting data at rest and in transit, and conducting regular security audits to identify and patch vulnerabilities. Additionally, utilize Apollo's built-in features for privacy, such as private schema fields, and adhere to best practices for API security.

Yoga

To address the data leak issue within the Yoga framework engine, ensure that all sensitive data is encrypted both at rest and in transit. Implement access controls and audit logs to monitor data access. Regularly update the framework to the latest version to patch any security vulnerabilities. Additionally, conduct thorough security assessments and code reviews to identify and mitigate potential data exposure points.

Awsappsync

To mitigate data leaks in AWS AppSync, ensure that all GraphQL queries and mutations are properly authenticated and authorized. Implement fine-grained access control using AWS Identity and Access Management (IAM) and Amazon Cognito. Regularly audit your API configurations and access patterns, and encrypt sensitive data both at rest and in transit using AWS encryption services. Additionally, enable logging and monitoring with AWS CloudTrail and Amazon CloudWatch to detect and respond to any unauthorized access or anomalies.

Graphqlgo

To mitigate data leaks in a GraphQL Go framework engine, ensure that all sensitive fields are properly secured and that access control policies are in place to restrict unauthorized access. Implement field-level security to limit exposure of data based on user roles and permissions. Regularly audit your GraphQL schema and resolvers for potential vulnerabilities, and use query complexity analysis to prevent abusive queries. Additionally, consider using a GraphQL security library or middleware that provides features such as depth limiting, amount limiting, and introspection disabling to further protect against data leaks.

Graphqlruby

To mitigate data leaks in the GraphQL Ruby framework, ensure that proper authentication and authorization checks are in place before allowing access to sensitive data. Implement field-level permissions to control access to specific parts of your schema. Use the graphql-guards gem to easily define policies for your GraphQL fields. Additionally, consider rate limiting to prevent excessive requests that could lead to data exposure. Regularly audit your GraphQL queries and mutations for potential vulnerabilities and apply the principle of least privilege when assigning data access to different roles.

Hasura

To mitigate data leaks in the Hasura framework, ensure that all GraphQL queries are properly authenticated and authorized. Implement role-based access control (RBAC) to restrict data access based on user roles. Regularly audit your access control policies and review logs to detect any unauthorized access. Additionally, use environment variables for sensitive information instead of hardcoding them in the application code or configuration files. Keep the Hasura engine and all dependencies up to date with the latest security patches.

REST Specific

Asp_net

Implement proper access controls and ensure sensitive data is encrypted both in transit and at rest. Utilize ASP.NET's built-in features such as the Secure Socket Layer (SSL) for data in transit and the Data Protection API for encrypting sensitive data at rest. Regularly audit your API endpoints for unintended data exposure and adhere to the principle of least privilege when assigning permissions.

Ruby_on_rails

In Ruby on Rails, ensure that sensitive data is not included in the output of APIs by using strong parameters to whitelist only the necessary attributes for exposure. Additionally, configure the application to use environment variables or encrypted secrets management for handling confidential information, and never hardcode sensitive data within the codebase. Regularly audit your code and dependencies for vulnerabilities that could lead to data exposure.

Next_js

Ensure that sensitive data is not included in the API responses or client-side code. Use environment variables and server-side logic to handle secrets, and never expose them to the frontend. Implement proper access controls and audit logs to monitor data access.

Laravel

Ensure that sensitive data is not included in API responses. Review the code to remove any direct references to private keys, tokens, or passwords. Use Laravel's built-in functions to secure environment variables and leverage access control mechanisms to protect API endpoints. Implement proper logging to detect any unauthorized access attempts.

Express_js

Ensure that all sensitive data is properly encrypted and that API endpoints are secured with authentication and authorization checks. Implement environment variables to store secrets and use middleware like 'helmet' to set security-related HTTP headers. Regularly audit your code and dependencies for vulnerabilities.

Django

Ensure that Django's DEBUG mode is set to False in production to prevent the exposure of sensitive information. Use environment variables or a secure key management system to handle secrets and credentials. Regularly audit your code and use tools like Django's built-in 'check' framework to detect potential data leaks. Implement proper access controls and permissions for API endpoints.

Symfony

In the Symfony framework, ensure that all sensitive data is properly secured by using environment variables for storing secrets and access credentials. Utilize the 'dotenv' component for local environments and secure production secrets with a vault service or server environment variables. Implement access controls and use Symfony's 'secrets' management for sensitive values. Regularly audit your codebase to ensure that no sensitive data is hard-coded or exposed through APIs. Additionally, employ HTTPS and proper authentication mechanisms to protect data in transit.

Spring_boot

Ensure that sensitive data is not logged or exposed in API responses. Use environment variables or a secure vault service to manage secrets, and implement proper access controls and encryption for data in transit and at rest. Regularly audit your code and use automated tools to detect potential leaks. Update your Spring Boot application properties to exclude sensitive information from being exposed and configure proper logging levels to prevent accidental leaks.

Flask

Ensure that Flask endpoints handling sensitive data implement proper access controls and do not return confidential information in responses. Use environment variables or secure storage solutions to manage secrets, and never hardcode them in the source code. Regularly audit your code and use tools like static analyzers to detect accidental exposure of sensitive data.

Nuxt

Ensure that all sensitive data is stored in environment variables and not hardcoded in the application code. Use .env files for local development and secure secret management systems for production. Additionally, implement proper access controls and audit logs to monitor access to sensitive data. Regularly review and update API endpoints to ensure they do not inadvertently expose sensitive information.

Fastapi

Ensure that all sensitive data is properly encrypted and that API endpoints are secured with authentication and authorization checks. Implement environment variables for storing secrets and use FastAPI's dependency injection system to manage security configurations. Regularly audit your code and dependencies for vulnerabilities.

Configuration

Identifier: information_disclosure/data_leak

Options

• blacklist : List of elements to ignore.

Examples

Ignore this check

checks:
  information_disclosure/data_leak:
    skip: true

Score

• Escape Severity: HIGH

Compliance

• OWASP: API1:2023
• pci: 3.4
• gdpr: Article-32
• soc2: CC1
• psd2: Article-95
• iso27001: A.18.1
• nist: SP800-53
• fedramp: AC-4

Classification

Score

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
• CVSS_SCORE: 7.2

References

• https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html