Secret information transmitted over the network

Secret information transmitted over the network

Risk: potentially

Description

The application is detected to transmit secret credentials, like SSH keys, private certificates, or private API keys over the network.

Secrets can be split into three categories with different risk profiles:

• Over-billing: affects API keys that grant access to services like Google Maps and are billed by a number of requests. Attackers will harvest the keys to access the service without paying while the target is paying for the service.

• Unauthorized Access: affects keys, secrets, and tokens that grant access to services like S3 buckets. If the service is improperly configured, attackers can get access to unauthorized data or elevate their privileges through other services.

Recommendation

Sensitive secrets that suffer from over-billing or unauthorized access must be transmitted to the application.

Access to the service must be exposed through an API and implement proper access control and rate-limiting.

Links

• CWE-200: Data Exposure
• What Is AWS Secrets Manager?

Standards

• PCI_STANDARDS:
  • REQ_1_2