Secrets leaks

Description

The database exposes sensitive data to the public, such as secrets, private keys, tokens, passwords, etc. This security check detects this sensitive data.

Remediation

If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
If the leak happens through another vulnerability, such as a Server-Side Request Forgery, fix this issue to avoid further secret leaks.
Have your developers implement these best practices to avoid leaking secrets: -Inside logs: Keeping Sensitive Data Out of Logs. -Inside commits: Pre-commit or Gitleaks. -In the configuration, using an environment variable manager like Hashicorp Vault.

Apollo

If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
If the leak happens through another vulnerability, such as a Server-Side Request Forgery, fix this issue to avoid further secret leaks.
Have your developers implement these best practices to avoid leaking secrets: -Inside logs: keeping sensitive data out of logs. -Inside commits: Pre-commit or Gitleaks. -In the configuration, using an environment variable manager like Hashicorp Vault.

See Apollo's Access Control Documentation. For large scale applications, you'll want to use a specific package like GraphQL Shield for quick and easy Access Control management.

Awsappsync

If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
If the leak happens through another vulnerability, such as a Server-Side Request Forgery, fix this issue to avoid further secret leaks.
Have your developers implement these best practices to avoid leaking secrets: -Inside logs: keeping sensitive data out of logs -Inside commits: Pre-commit or Gitleaks -In the configuration, using an environment variable manager like Hashicorp Vault

Appsync provides several other methods for protecting critical information. -To learn more on implementing fine-grained access control, head over to https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#fine-grained-access-control. -To learn more on filtering critical data directly from responses, see https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#aws-appsync-filtering-information.

Hasura

If there is a chance that unauthorized individuals have already accessed the secret, revoke it immediately and notify the concerned team.
If the leak happens through another vulnerability, such as a Server-Side Request Forgery, fix this issue to avoid further secret leaks.
Have your developers implement these best practices to avoid leaking secrets: -Inside logs: keeping sensitive data out of logs -Inside commits: Pre-commit or Gitleaks -In the configuration, using an environment variable manager like Hashicorp Vault

See Hasura's detailed documentation for authorization management.

Configuration

CheckId: access_control/secrets_leaks

Options

blacklist : List of elements to ignore.

Examples

Ignoring this check

{
  "checks": {
    "access_control/secrets_leaks": {
      "skip": true
    }
  }
}

Check with all default options

{
  "checks": {
    "access_control/secrets_leaks": {
      "options": {
        "blacklist": []
      }
    }
  }
}

Score

Escape Severity: HIGH
OWASP: A01:2023
PCI DSS: 6.5.8
CWE
- 200
- 201
- 284
- 668
- 1198
- 1212
- 1220
WASC: 22

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 7.2

References

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Secrets leaks

Description​

Remediation​

Configuration​

Options​

Examples​

Ignoring this check​

Check with all default options​

Score​

CVSS​

References​