Secret information transmitted over the network
Secret information transmitted over the network
Description
The application is detected to transmit secret credentials, like SSH keys, private certificates, or private API keys over the network.
Secrets can be split into two categories with different risk profiles:
-
Over-billing: affects API keys that grant access to services like Google Maps and are billed by a number of requests. Attackers will harvest the keys to access the service without paying while the target is paying for the service.
-
Unauthorized Access: affects keys, secrets, and tokens that grant access to services like S3 buckets. If the service is improperly configured, attackers can get access to unauthorized data or elevate their privileges through other services.
Recommendation
To mitigate the risks associated with hard-coded or leaked secrets, consider the following:
- Adopt Tokenization or Authentication Mechanisms: Instead of transmitting raw credentials, consider implementing tokenization or authentication mechanisms such as OAuth or JWT (JSON Web Tokens) for accessing APIs. This reduces the risk of exposing sensitive credentials during transmission.
- Implement Secure Transmission Protocols: Ensure that all communications transmitting sensitive credentials are encrypted using secure protocols such as TLS (Transport Layer Security) to prevent eavesdropping and interception of credentials during transmission.
- Rotate Credentials Regularly: Implement a credential rotation policy to regularly rotate API keys, tokens, and other sensitive credentials. This minimizes the window of opportunity for attackers who may have intercepted credentials during transmission.
Links
Standards
- PCI_STANDARDS:
- REQ_1_2