Difference between revisions of "Category:Sensitive Data Protection Vulnerability"

Jump to: navigation, search
(Undo revision 89209 by Frank Alexander (talk): Reverting direct link to an EXE file.)
(One intermediate revision by one other user not shown)
(No difference)

Latest revision as of 12:50, 4 April 2012

This category is for tagging vulnerabilities that lead to insecure protection of sensitive data. The protection referred here includes confidentiality and integrity of data during its whole lifecycles, including storage and transmission.

Please note that this category is intended to be different from access control problems, although they both fail to protect data appropriately. Normally, the goal of access control is to grant data access to some users but not others. In this category, we are instead concerned about protection for sensitive data that are not intended to be revealed to or modified by any application users. Examples of this kind of sensitive data can be cryptographic keys, passwords, security tokens or any information that an application relies on for critical decisions.

Examples of this vulnerability can be:

  • Information leakage results from insufficient memory clean-up
  • Inappropriate protection of cryptographic keys (This should also be labeled with Category:Cryptography)
  • Clear-text Passwords in configration files (This should also labeled with Category:Authentication if the passwords are used for authentication.)
  • Lack of integrity protection for stored user data
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

Pages in category "Sensitive Data Protection Vulnerability"

The following 6 pages are in this category, out of 6 total.