Sensitive Data Exposure
Discover how applications inadvertently expose sensitive information through misconfigurations and poor security practices. Learn to identify leaked credentials, API keys, and personal data in error messages, backups, and client-side code.
Introduction to Sensitive Data Exposure
theoryUnderstand what sensitive data exposure is, why it matters, and common sources of leaks.
Introduction to Sensitive Data Exposure
What is Sensitive Data Exposure?
Sensitive Data Exposure occurs when applications, APIs, or servers fail to adequately protect confidential information such as credentials, API keys, personal data, or cryptographic keys.
Common sensitive data types
- Passwords and password hashes
- API keys, tokens, and secrets
- Personally Identifiable Information (PII)
- Encryption keys and certificates
- Internal configuration and debug data
Typical sources of exposure
- Misconfigured storage (public S3 buckets, exposed directories)
- Verbose error messages or stack traces
- Unencrypted transmissions (HTTP instead of HTTPS)
- Leftover files (.git, backups) on web root
- Logging secrets to accessible logs
Knowledge Check
Which of the following is a primary risk from sensitive data exposure?
Data-in-Transit: TLS and Transport Security
theoryLearn about protecting data during transport and common TLS misconfigurations.
Data-in-Transit: TLS and Transport Security
Protecting Data in Transit
Use TLS to encrypt data between clients and servers.
- Enforce TLS 1.2+ and disable insecure ciphers
- Use HSTS
- Redirect HTTP to HTTPS and validate certificates
Knowledge Check
Which practice helps protect data in transit?
Leakage via Debug/Error Messages (Simulation)
simulationSimulate leaking secrets in verbose error pages.
Simulation Objective
Simulate leaking secrets in verbose error pages.
Target
/user/profile?show=error
Scenario
Stack trace disclosure
Exposed Backup/.git or Public Files (Simulation)
simulationSimulate exposed config or repository files revealing secrets.
Simulation Objective
Simulate exposed config or repository files revealing secrets.
Target
/.git/HEAD
Scenario
Exposed git
API Key / Secret in JavaScript or HTML (Simulation)
simulationSimulate discovering secrets embedded in static files.
Simulation Objective
Simulate discovering secrets embedded in static files.
Target
/static/js/app.js
Scenario
Frontend key disclosure
Insecure Storage: Plaintext Secrets (Simulation)
simulationSimulate plaintext stored credentials.
Simulation Objective
Simulate plaintext stored credentials.
Target
/admin/export-users
Scenario
Plaintext passwords
Token Replay & Poorly Scoped Tokens
theoryTheory: long-lived tokens & overly broad scopes.
Token Replay & Poorly Scoped Tokens
Token Risks
Tokens should expire fast, be scoped, and revocable.
- Short expiry
- Minimal permissions
- Revocation & monitoring
Knowledge Check
Which reduces the blast radius if a key is leaked?
Prevention & Remediation Best Practices
theoryLearn controls to prevent leaks.
Prevention & Remediation Best Practices
Remediation & Prevention
- Encrypt at rest + in transit
- Use secrets managers
- Do not store secrets in repos
- Limit PII and retention
Knowledge Check
Which is a secure way to manage secrets?
Sensitive Data Exposure Challenge - Safe Remediation
simulationSimulation: find exposed secret & provide remediation text.
Simulation Objective
Simulation: find exposed secret & provide remediation text.
Target
/.env
Scenario
Identify and remediate