Description

The API allows authenticated users to access sensitive data, which may not be intended.

What are considered sensitive data?

Sensitive data is information that, if inadvertently disclosed, could have significant consequences for the data subject. Sensitive data can encompass a wide range of information, including:

• Personally identifiable information (PII), including email, email address, religion, or place of residence.
• Financial information, which includes credit cards or bank account numbers.
• Health information, covering medical records or insurance information.
• Government information, which includes social security information or other government related data.
• Proprietary information, which includes secrets or intellectual property (IP),

Rationale

This finding works by identifying an API that replies with or accepts requests containing sensitive data. While this isn’t inherently problematic, inadequate security controls could lead to data leaks.

Remediation

• Make sure you enforce authorization to resources so that only authorized users can perform the action (AuthZ). Consider the different patterns that are usually followed such as:
  • Role-Based Access Control (RBAC), which is a model that grants resource access to users based on their assigned role. For example, users with the role ADMIN can access the app administrator panel.
  • Attribute-Based Access Control (ABAC), instead relies on attributes of the user to evaluate, this is a more generic case of the previous method since the role can be thought of as an attribute.
• Validate whether the application is intended to return sensitive data.

References