Information Leakage / Sensible Information Leaked
Description
Sensible information leaked is a type of information leakage vulnerability. It refers to the unauthorized disclosure of sensitive or confidential data through the application of web or API services. It is classified as a CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and is part of the OWASP Top 10 list of application security risks. The impact of this vulnerability can range from minor, such as the disclosure of an email address, to serious, such as the disclosure of personal financial information.
Risk
This vulnerability can cause serious loss, damage or harm to individuals or organizations due to the disclosure of sensitive or confidential information. The risk of this vulnerability can be high depending on the type of information that is leaked. The attacker may be able to use the information for malicious purposes such as identity theft, blackmail or fraud.
Solution
The best way to address this vulnerability is to ensure that sensitive or confidential information is not stored in the application. Alternatively, the application can be configured to securely store and encrypt sensitive data. Additionally, proper authentication, authorization and access control measures should be taken to ensure that only authorized users are able to access sensitive data.
Example
The following example is taken from the CVE-2019-12097 vulnerability in the Apache Struts2 framework. In this example, the application is vulnerable to information leakage because the application is not properly validating user input. As a result, an attacker can craft a malicious request that will leak sensitive information from the application.
GET /struts2-rest-showcase/orders/3?name=%25{#context['xwork.MethodAccessor.denyMethodExecution'].deny()} HTTP/1.1
Host: localhost