Sensitive Data Exposure
detect, understand, remediate
Sensitive data exposure occurs when applications inadvertently leak PII, credentials, API keys, or internal details through responses, logs, error messages, or insecure storage.
No credit card required. Free plan available forever.
What is sensitive data exposure?
Sensitive data exposure occurs when an application inadvertently reveals protected information, including personally identifiable information (PII), credentials, API keys, internal system details, and financial records, through application responses, error messages, logs, insecure storage, or unencrypted network transmission.
Unlike vulnerabilities that require complex exploitation chains, data exposure often results from simple oversights: an API key embedded in client-side JavaScript, database credentials in an HTML comment, stack traces displayed to end users, or PII returned in API responses that should be redacted. These leaks are frequently discovered by automated scanners and web crawlers.
The impact of sensitive data exposure extends beyond the immediate leak. Exposed credentials enable account takeover, leaked API keys grant access to third-party services, and disclosed internal architecture details help attackers plan more sophisticated attacks. For organisations handling regulated data, exposure can trigger breach notification requirements and significant fines.
How it works
Probe application responses
Attacker inspects HTTP responses, JavaScript bundles, HTML source, and API endpoints for inadvertently exposed information.
Discover leaked data
Finds sensitive data such as API keys in JavaScript files, credentials in HTML comments, PII in API responses, or secrets in error messages.
Extract sensitive information
Collects exposed credentials, tokens, keys, personal data, or internal system details that can be used for further exploitation.
Leverage for attack
Uses extracted data for direct exploitation: accessing third-party services with stolen API keys, logging into accounts with leaked credentials, or planning targeted attacks using internal details.
Common causes
Sensitive data in client-side code
Storing API keys, secrets, or configuration values in JavaScript bundles, HTML source, or local storage where they are visible to any user.
Logging sensitive data
Writing credentials, tokens, PII, or payment details to application logs, error tracking systems, or analytics platforms without redaction.
Missing encryption at rest and in transit
Storing sensitive data unencrypted in databases or filesystems, and transmitting it over unencrypted HTTP connections without TLS.
Exposing stack traces and hardcoded secrets
Displaying detailed error messages with internal paths and versions to users, and embedding secrets directly in source code rather than using environment variables.
How to detect it
Automated detection
- SecPortal's authenticated scanner detects AWS keys, private keys, PII patterns, and credentials in application responses and JavaScript bundles
- External scanning modules identify information disclosure through error messages, server headers, and exposed configuration files
- Code scanning detects hardcoded secrets, API keys, and credentials committed to source code repositories
Manual testing
- Inspect all HTTP responses, JavaScript files, and HTML source for embedded credentials, API keys, or internal information
- Review API responses to verify that sensitive fields are properly redacted and only necessary data is returned to the client
- Check source code repositories for committed secrets using tools like git log searches and entropy-based detection
How to fix it
Encrypt data at rest and in transit
Use AES-256 or equivalent for data at rest and enforce TLS 1.2+ for all data in transit. Never transmit sensitive data over plain HTTP.
Never store secrets in client-side code
Remove API keys, credentials, and configuration secrets from JavaScript bundles, HTML, and local storage. Use server-side proxies for third-party API calls.
Implement proper error handling
Return generic error messages to users while logging detailed diagnostics server-side. Never expose stack traces, database queries, or internal paths.
Classify and protect sensitive data
Maintain a data classification policy. Apply appropriate encryption, access controls, and redaction based on data sensitivity levels.
Use secrets management
Store all secrets in a dedicated secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager). Rotate keys regularly and audit access.
Compliance impact
Related vulnerabilities
Detect data exposure automatically
SecPortal scans for leaked credentials, PII, API keys, and sensitive data in responses and code. Start free.
No credit card required. Free plan available forever.