Sensitive Data Exposure

OWASP Top 10 - A3

What is Sensitive Data Exposure?

The first thing you have to determine is which data is sensitive enough to require extra protection. For example:

  • Banking information: account numbers, credit card numbers.
  • Health information.
  • Personal information: SSN/SIN, date of birth, etc.
  • User account/passwords.


  • Financial loss.
  • Identity hijacking.
  • Decreased brand trust.

Sensitive Data Exposure examples

Example #1: Credit card encryption

An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text.


  • The system should have encrypted the credit card numbers using a public key, and only allowed back- end applications to decrypt them with the private key.

Example #2: SSL is not used for all authenticated pages


  • Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.

Example #3: The password database uses unsalted hashes to store everyone’s passwords


  • A file upload flaw allows an attacker to retrieve the password file. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.

How to prevent Sensitive Data Exposure

  • Encrypt data during transport and at rest.
  • Minimize data surface area.
  • Use the latest encrytion algorithms.
  • Disable autocomplete on forms that collect data.
  • Disable caching on forms that collect data.

How Hdiv protects against A3 risk

Risk Covered

  • Hdiv provides utilities not to send sensitive data to the client and to detect insecure obfuscation techniques.
Since 2008 in productionSINCE 2008IN PRODUCTION
more than 128 countriesMORE THAN 128COUNTRIES
Fortune 500 companiesFORTUNE 500COMPANIES



The 7 Key Factors to Successful DevSecOps

Download Now


Hdiv Detection (IAST) for Developers



The Best Protection Against OWASP Top 10 Risks



Agile protection: above and beyond the WAF

Read More