Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a section for checking if the server responds with sensitive information. #727

Open
pinkLagoon opened this issue Mar 17, 2021 · 7 comments
Open

Add a section for checking if the server responds with sensitive information. #727

pinkLagoon opened this issue Mar 17, 2021 · 7 comments
Labels
help wanted new New content to write

Comments

@pinkLagoon
Copy link

What would you like added?
We sometimes see that developers might just serialize an entire object into JSON and returns it in a API response. Sometimes this object contains sensitive information. I personally have seen passwords and API keys being displayed. I think this will fall under the new 4.12 API Testing section.

Would you like to be assigned to this issue?
I might later. If someone beats me to it that will be good.
@pinkLagoon pinkLagoon added help wanted new New content to write labels Mar 17, 2021
@ThunderSon
Copy link
Collaborator

I highly believe this goes beyond API testing.
I just noticed the guide doesn't tackle that point, CWE 200 and similar vectors.
@kingthorin what do you think about this? Top 10 A3 (sensitive data exposure) is just referenced when data is sent unencrypted, but the guide in no way discusses "more" data being sent back to the user.
Would be interesting to find a home for it.

Nice catch @pinkLagoon!

@kingthorin
Copy link
Collaborator

Yup this is definitely something we need to tackle. I've definitely seen apps in the past that returned JSON or XML responses that contained more data than displayed to the user.

@ThunderSon
Copy link
Collaborator

ThunderSon commented Mar 20, 2021
edited
Loading

This is currently being reviewed to see on how many stages this can be added.

  1. Potentially dangerous data (testing topic)
  2. Benign data -- cultural and leads to maturity (early chapters topic)

Talking with @elarlang ASVS doesn't have clear directions on that topic as well.

@elarlang elarlang mentioned this issue Mar 20, 2021
Closed
@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@elarlang
Copy link

Talking with @elarlang ASVS doesn't have clear directions on that topic as well.

The solution in ASVS - added a requirement in the "defensive coding" section:

Verify that the application returns only the data the user has permission to access. For example, the API response does not return a full object with attributes that contain values the user has no permission to access although having permission to access the data object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted new New content to write
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kingthorin @ThunderSon @elarlang @pinkLagoon