JESS' SECURITY QUEST
OWASP TOP 10 View Guide

Sensitive Data Exposure Challenges

OWASP A02:2021 - Cryptographic Failures (Sensitive Data Exposure)
Sensitive data exposure occurs when applications don't adequately protect sensitive information such as credentials, API keys, and personal data from unauthorized access.
Beginner Exposed Credentials

Find credentials hidden in source code, HTML comments, configuration files, and git history. Learn why secrets should never be hardcoded.

  • Points: 100
  • Estimated Time: 15 minutes
  • Skills: Source code analysis, git forensics
Start Challenge
Easy Debug Endpoints

Discover sensitive debug and development endpoints that should have been disabled in production. Access internal system information.

  • Points: 150
  • Estimated Time: 20 minutes
  • Skills: Endpoint enumeration, reconnaissance
Start Challenge
Medium Information Disclosure

Extract sensitive information from verbose error messages, response headers, and different application behaviors. Exploit user enumeration.

  • Points: 200
  • Estimated Time: 25 minutes
  • Skills: Error analysis, fingerprinting
Start Challenge

Learning Resources

Common Sensitive Data Exposure Vulnerabilities
  • Hardcoded Credentials: Passwords, API keys in source code or configs
  • Debug Endpoints: Development tools left enabled in production
  • Verbose Errors: Stack traces and internal details in error messages
  • Information Leakage: Server versions, internal IPs in headers
  • Git History: Secrets committed and later "removed" but still in history
  • Backup Files: .bak, .old, .swp files containing sensitive data
Where to Look for Secrets
  • HTML comments and JavaScript source
  • Configuration files (.env, config.json, appsettings.json)
  • Git history and commit messages
  • Error messages and stack traces
  • HTTP response headers
  • Debug/admin endpoints
  • robots.txt and sitemap.xml
  • API documentation and Swagger/OpenAPI specs
Prevention Techniques
  • Environment Variables: Store secrets in environment, not code
  • Secret Managers: Use HashiCorp Vault, AWS Secrets Manager, etc.
  • Git Hooks: Scan for secrets before commits
  • Error Handling: Generic error messages in production
  • Security Headers: Remove version info, add security headers
  • Disable Debug: Ensure debug mode is off in production
External Resources
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss