261 – Avoid exposing sensitive information

Summary

The application must not expose sensitive information in sections that are publicly accessible.

Description

Some applications have sections such as web pages and endpoints that are publicly exposed or do not require an initiated session to be accessed. These sections should contain neither sensitive corporate information nor users or employees personal data. Furthermore, corporate sensitive information should not be exposed on personal social network accounts either.

Supported In

Advanced: True

References

• CAPEC-116. Excavation
• CWE-200. Exposure of sensitive information to an unauthorized actor
• CWE-359. Exposure of private personal information to an unauthorized actor
• EPRIVACY-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP10-A2. Cryptographic failures
• PADSS-9_1. Any web server and any cardholder data storage component are not required to be on the same server
• PDPA-6_24. Protection of personal data
• CMMC-AC_L1-3_1_22. Control public information
• HITRUST-09_z. Publicly available information
• FEDRAMP-AC-22. Publicly accessible content
• ISO27002-8_1. User endpoint devices
• LGPD-7_X-3. Requirements for the Processing of Personal Data
• WASSEC-6_2_5_2. Information disclosure - Information leakage
• WASC-A_34. Predictable resource location
• WASC-W_13. Information leakage
• FERPA-D_35_a_2. Conditions of prior consent required to disclose information
• FERPA-D_35_b_1. Conditions of prior consent required to disclose information
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)
• OWASPRISKS-P1. Web application vulnerabilities
• OWASPRISKS-P2. Operator-sided data leakage
• ASVS-13_1_3. Generic web service security
• PCI-1_4_5. Do not disclosure of internal IP addresses and routing information
• PCI-6_5_5. Changes to all system components are managed securely
• OWASPAPI-API3. Broken Object Property Level Authorization
• ISO27001-8_1. User endpoint devices
• CASA-13_1_3. Generic Web Service Security
• OWASPMASVS-PRIVACY-1. The app minimizes access to sensitive data and resources
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 213 – Business information leak - JWT
• 214 – Business information leak - Credentials
• 215 – Business information leak - Repository
• 216 – Business information leak - Source Code
• 217 – Business information leak - Credit Cards
• 218 – Business information leak - Network Unit
• 219 – Business information leak - Redis
• 220 – Business information leak - Token
• 221 – Business information leak - Users
• 222 – Business information leak - DB
• 223 – Business information leak - JFROG
• 224 – Business information leak - AWS
• 225 – Business information leak - Azure
• 226 – Business information leak - Personal Information
• 227 – Business information leak - NAC
• 228 – Business information leak - Analytics
• 229 – Business information leak - Power BI
• 230 – Business information leak - Firestore
• 291 – Business information leak - Financial Information
• 336 – Business information leak - Corporate information
• 038 – Business information leak
• 080 – Business information leak - Customers or providers

Last updated

2025/06/17