Sensitive Data Exposure

Sensitive data exposure occurs when a web application fails to adequately protect sensitive information such as financial data, health records, personal identifiers, and authentication credentials. This can happen during storage, transmission, or processing, and it is one of the leading causes of data breaches worldwide.

---

What is Sensitive Data?

Sensitive data is any information that requires protection due to its potential impact if exposed:

Category	Examples
Personal Identifiable Information (PII)	Names, addresses, dates of birth, national ID numbers
Financial data	Credit card numbers, bank account details, transaction records
Authentication credentials	Passwords, API keys, session tokens, OAuth secrets
Health information	Medical records, prescriptions, insurance details
Business data	Trade secrets, intellectual property, internal communications
Legal data	Contracts, court records, attorney-client communications

---

How Sensitive Data is Exposed

1. Data in Transit

Data transmitted without encryption can be intercepted by anyone on the network path:

[Browser] ──── HTTP (plaintext) ────▶ [Server]
              ▲
              │
         [Attacker on network can read everything]

Prevention:

• Enforce TLS (HTTPS) for all connections
• Use HSTS to prevent protocol downgrade
• Use TLS 1.2 or 1.3 (disable older versions)
• Redirect all HTTP traffic to HTTPS

# Nginx — redirect HTTP to HTTPS and set HSTS
server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

2. Data at Rest

Data stored without encryption is vulnerable if the storage is compromised:

Storage Type	Risk	Mitigation
Database	SQL injection, backup theft	Encrypt sensitive columns or full-disk encryption
File system	Server compromise, misconfigured access	File-level or full-disk encryption
Backups	Unencrypted backup files on shared storage	Encrypt backups; secure backup storage
Logs	Sensitive data accidentally logged	Scrub/redact sensitive data from logs
Cloud storage	Public buckets, misconfigured access	Enforce private access; enable server-side encryption

3. Data in Processing

Even when data is encrypted in transit and at rest, it may be exposed during processing:

• Sensitive data stored in plaintext variables in memory
• Data written to temporary files without encryption
• Error messages or logs containing sensitive information
• Debugging tools exposing data in development

---

Common Sensitive Data Exposure Vulnerabilities

Passwords Stored in Plaintext or with Weak Hashing

-- INSECURE: plaintext passwords in the database
SELECT * FROM users;
-- id | username | password
-- 1  | alice    | MySecret123!
-- 2  | bob      | Password1

-- INSECURE: using MD5 or SHA-256 (too fast)
-- id | username | password_hash
-- 1  | alice    | 5f4dcc3b5aa765d61d8327deb882cf99

-- SECURE: using bcrypt with salt
-- id | username | password_hash
-- 1  | alice    | $2b$12$LJ3m4ys3Lk0TBGFOBbQT4OGRtGJKPnYKpQlCt6VJn6bx.XYwHd3m

API Keys and Secrets in Source Code

// INSECURE — hardcoded API key
const API_KEY = 'sk-live-abc123def456ghi789';

// SECURE — loaded from environment variables
const API_KEY = process.env.API_KEY;

Never commit secrets to version control. Use environment variables, secret management tools (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), or encrypted configuration files.

Sensitive Data in URLs

# INSECURE — sensitive data in query parameters (logged by servers, proxies, browsers)
https://example.com/api/user?ssn=123-45-6789&dob=1990-01-15

# SECURE — use POST with encrypted body
POST /api/user
Content-Type: application/json
{ "ssn": "123-45-6789", "dob": "1990-01-15" }

Sensitive Data in Logs