Top 10 2013-A6-Sensitive Data Exposure
Learn how sensitive data exposure threatens unauthorized access to passwords, credit card numbers, and personal information. Prevent data breaches with encryption and proper key management.
Overview
This article discusses the OWASP Top 10 2013-A6-Sensitive Data Exposure, a security issue that involves the unauthorized access and exposure of sensitive data. It provides an overview of the threat agents, attack vectors, security weakness, technical impacts, and business impacts associated with sensitive data exposure.
Description
Sensitive data exposure occurs when unauthorized individuals gain access to sensitive data, such as passwords, credit card numbers, health records, and personal information. This can happen through various means, including stealing encryption keys, performing man-in-the-middle attacks, or obtaining clear text data from servers or users' browsers. The most common flaw in sensitive data exposure is the lack of encryption for the data. Weak key generation, weak algorithm usage, and browser weaknesses are also common. Failure to protect sensitive data can lead to the compromise of all data that should have been protected, resulting in serious consequences for businesses and individuals. This article emphasizes the importance of encrypting sensitive data, using strong algorithms and proper key management, and implementing necessary security measures to prevent sensitive data exposure.
How to Prevent ?
To prevent sensitive data exposure, it is crucial to determine which data requires extra protection and ensure that it is encrypted at rest and in transit. Unnecessary storage of sensitive data should be avoided, and strong standard algorithms and keys should be used with proper key management. Passwords should be stored using password protection algorithms like bcrypt, PBKDF2, or scrypt. Autocomplete on forms collecting sensitive data should be disabled, and caching should be disabled for pages containing sensitive data.
Example Attack Scenarios:
Scenario #1: Automatic Database Encryption Flaw: In this scenario, an application encrypts credit card numbers in a database using automatic database encryption. However, it also automatically decrypts the data when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. To prevent this, the system should encrypt the credit card numbers using a public key and only allow back-end applications to decrypt them with the private key.
Scenario #2: Lack of SSL Usage for Authenticated Pages: In this scenario, a website does not use SSL for all authenticated pages. An attacker monitors the network traffic, like an open wireless network, and steals the user's session cookie. The attacker then replays the cookie and hijacks the user's session, gaining access to the user's private data. To prevent this, SSL should be used for all authenticated pages to secure the transmission of sensitive data.
Scenario #3: Unsalted Hashes in Password Database: In this scenario, the password database uses unsalted hashes to store users' passwords. An attacker exploits a file upload flaw to retrieve the password file, exposing all unsalted hashes. The attacker can then use a precalculated rainbow table to easily crack the passwords. To prevent this, passwords should be stored with salted hashes, making it more difficult for attackers to crack them.