Sensitive Information Disclosure - Full Path Disclosure

Description

Sensitive Information Disclosure - Full Path Disclosure is a vulnerability where an application inadvertently reveals the full file path of a resource, potentially exposing sensitive information about the application's directory structure to attackers. This can occur due to error messages or debug information that include the full file path, aiding attackers in understanding the system's architecture and facilitating targeted attacks. To mitigate this vulnerability, developers should ensure that error messages and debug information are properly handled to avoid disclosing sensitive file paths and implement strict access controls to limit unauthorized access to system resources.

Remediation

Do the following, at a minimum, and consult the references: * Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. * Apply controls as per the classification. * Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS-compliant tokenization or even truncation. Data that is not retained cannot be stolen. * Make sure to encrypt all sensitive data at rest. * Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. * Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS). * Disable caching for responses that contain sensitive data. * Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. * Verify independently the effectiveness of configuration and settings.

References

Severity

Owasp

Code: A02:2021

Category: Cryptographic Failures

Classification