Using this vulnerabilty an attacker can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats. Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser.

The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.

Question 1 – What is Sensitive data?

Ans:-

• Banking Information (account number, credit card numbers).
• Health Information.
• Personal information (date of birth, SSN/SIN)
• User account/passwords.

Question 2 – What are the implications?

Ans:-

• Financial loss
• Identity Hi-jacking
• Decreased brand trust

Question 3 – What are the main cause of this vulnerability?

Ans:-

• Insufficient Transport Layer Protection
• Insecure Cryptographic storage
• Data stored in an unprotected manner can be easily stolen.

Question 4 – How to prevent yourself from Sensitive Data Exposure?

Ans:-

• Encrypt data during transport & at rest.
• Minimize data Surface area.
• Use the latest encryption algorithms.
• Disable autocomplete on forms that collect data.
• Disable caching on forms that collect data.

DEMO - Comming Soon!

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram