Skip main navigation

Threat Analysis

This video gives you an overview of the need to protect sensitive data.
6.6
Welcome to Sensitive Data Exposure session. In this first part, we will focus on threat analysis. We will take our time to dig into sensitive data exposure flaws details. Then we will discuss how the system can be harmed, the impact of successful exploitation, and give you some insights to identify who may want to harm your system. Unfortunately, data leaks are becoming more and more frequent. Whether data is sensitive is in general business-specific, but there are some data categories considered sensitive in nature, such as authentication credentials, credit card details, and health records. Whenever data isn’t properly protected at rest or in transit, either internally and over the internet, then we’re dealing with a sensitive data exposure flaw. Let me show you something.
55.9
This is a very simple sensitive data exposure scenario in our intentionally vulnerable web application. In the second part we will exploit this and other issues. Notice that we access Juice Shop over HTTP and not HTTPS. This is how it works by design, but it makes it possible for someone sitting between the client and the server to spy, exfiltrate, or tamper with exchange data. As you can see, the credit card number is masked on the screen, giving you a sense of security. Let’s see how client and server exchange this data. At the bottom of the screen, you can see that the server sent all credit card details, including the number masked on the screen, in plaintext.
97.9
This means that if there’s someone sitting between our browser and the server, then such actor already has our credit card details. Probably you’ll realise that at least your internet service provider is always in such position, but proxy servers and content delivery networks are also common entities between our browsers and the web application backend servers. The credit card issue was quite obvious, but it happens a lot. Sometimes you have to exploit other vulnerabilities to uncover unprotected data, such as authentication data stored in the database. We will do it in the second part, but first let’s discuss attack vectors. Attackers may not even need to touch your application to gather some sensitive data.
143
Quite often, default credentials, keys, and other tokens are pushed to public repositories. In other cases, search engines are enough to reach database backup files, logs, or other sensitive documents. Sitting between the client and the server is a privileged position to access sensitive data, but with the widespread adoption of HTTPS, attackers had to develop new techniques. Client-side attacks, such as manning the browser or scraping, are common techniques to gather sensitive data. Directly attacking cryptography is not an easy task, unless you’re using old or weak algorithms or default, leaked, or weak cryptographic keys. And unfortunately, this happens quite often.
185.5
When sensitive data is exfiltrated from your system, it is very likely that sooner or later, it will be available on the internet or dark web. Depending on systems nature, exposed data may allow attackers to perpetrate social engineering attacks, impersonating your users. Depending on the exposed data, attackers might be able to perpetrate some kind of fraud, taking advantage of systems’ inability to distinguish between malicious activity and a legit one. Law enforcement is not exactly a technical impact, but rather a business impact. Nevertheless, due to data protection laws and regulations, failing to protect data may result in huge losses.
223.5
There are autonomous systems crawling the web searching for publicly accessible data, scanning public source code repositories for leaked secrets or authentication tokens, they became very popular. Access to sensitive data does not mean sophisticated tools and techniques, using a search engine might be enough and virtually anyone can do it. Your data will always be available to someone. Attackers know that, and this is why ransom became so popular, and lots of leaked data is available for sale online. Keep in mind that those inside your organization may have privileged access to sensitive information. There are different motivations, and they can change over time. You’ll find this table in the OWASP Top 10. Pause the video and take your time to carefully read it.
270.9
In the next part, we will exploit our target application to reach some sensitive data.

This video gives you an overview of the need to protect sensitive data.

Many systems store our sensitive data on their databases. In this video, you will see how the OWASP Juice Shop stores sensitive data, and you will then have the opportunity to follow a demonstration illustrating why this data is vulnerable to hacking.

Over to you: Go to OWASP Sensitive Data Exposure to read more about the table provided in this video. Share what you learn from the site in the comments section below.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education