Top 10 2013-A6-Sensitive Data Exposure

Revision as of 20:56, 4 March 2013 by Neil Smithline (talk | contribs)

Jump to: navigation, search

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

[[Top 10 {{{year}}}-Security Misconfiguration|← Security Misconfiguration]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Missing Function Level Access Control|Missing Function Level Access Control →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
Application / Business Specific
Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats. . Attackers typically don’t break crypto directly. They break something else, such as steal keys, do a man-in-the-middle attack, steal clear text data off the server, steal it in transit, or right from the browser. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak hashing solutions to protect passwords. Browser weaknesses are very common and easy to detect, but hard to exploit. External attackers have difficulty detecting most of these types of flaws due to limited access and they are also usually hard to exploit. Failure frequently compromises all data that should have been protected. Typically this information includes sensitive data such as health records, credentials, personal data, credit cards, etc. Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.
Am I Vulnerable To 'Sensitive Data Exposure'?

The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data, ensure:

  1. It is encrypted everywhere it is stored long term, including backups of this data.
  2. It is encrypted in transit, ideally internally as well as externally. All internet traffic should be encrypted.
  3. Strong encryption algorithms are used for all crypto.
  4. Strong crypto keys are generated, and proper key management is in place, including key rotation.
  5. Proper browser directives and headers are set to protect sensitive data provided by or sent to the browser.

And more … For a more complete set of problems to avoid, see ASVS areas Crypto (V7), Data Prot. (V9), and SSL (V10)

How Do I Prevent 'Sensitive Data Exposure'?

The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:

  1. Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
  2. Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
  3. Ensure strong standard algorithms and strong keys are used, and proper key management is in place.

Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.

  1. Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.
Example Attack Scenarios

Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key. Scenario #2: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data. Scenario #3: The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.


OWASP For a more complete set of requirements, see ASVS req’ts on Cryptography (V7), Data Protection (V9) and Communications Security (V10)

  • OWASP Cryptographic Storage Cheat Sheet
  • OWASP Password Storage Cheat Sheet
  • OWASP Transport Layer Protection Cheat Sheet
  • OWASP Testing Guide: Chapter on SSL/TLS Testing


  • CWE Entry 310 on Cryptographic Issues
  • CWE Entry 312 on Cleartext Storage of Sensitive Information
  • CWE Entry 319 on Cleartext Transmission of Sensitive Information
  • CWE Entry 326 on Weak Encryption
[[Top 10 {{{year}}}-Security Misconfiguration|← Security Misconfiguration]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Missing Function Level Access Control|Missing Function Level Access Control →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]