Skip to content

Secret information stored in the application

Secret information stored in the application

Description

The application is detected to contain secret credentials, like SSH keys, private certificates, or private API keys.

Secrets can be split into three categories with different risk profiles:

  • Over-billing: affects API keys that grant access to services like Google Maps and are billed by the number of requests. Attackers will harvest the keys to access the service without paying while the target is paying for the service.

  • Unauthorized Access: affects keys, secrets, and tokens that grant access to services like S3 buckets. If the service is improperly configured, attackers can get access to unauthorized data or elevate their privileges through other services.

Recommendation

Sensitive data must not be packaged with the application. If access to this data is required, apply procedures to securely encrypt, store, and retrieve credentials for your services.

For keys that have a risk of over-billing, ensure the API Key is implementing key pinning or is exposing the service through authenticated APIs.

Key-pinning restricts usage of the key to the application through a cryptographic signature and is a setting to enable by the service provider, like Google Maps.

For keys that may cause unauthorized access, restrict the permissions and roles to non-critical or expose the service through an authenticated API.

The API must implement proper access control and rate-limiting, and keys should be rotated periodically.

Standards

  • OWASP_MASVS_L1:
    • MSTG_STORAGE_1
  • OWASP_MASVS_L2:
    • MSTG_STORAGE_1
  • CWE_TOP_25:
    • CWE_798