Insertion of Sensitive Information Into Sent Data (CWE-201)

Insertion of Sensitive Information Into Sent Data

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

Prevalencia

Media

3 lenguajes cubiertos

Impacto

Crítico

3 reglas de severidad crítica

Prevención

Documentada

3 ejemplos de corrección

2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para Insertion of Sensitive Information basadas en 3 reglas de detección de Shoulder.

🐹 Go Ver todo Go detalles →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

+14 -4 go

- func webhook(w http.ResponseWriter, r *http.Request) {
-     endpoint := r.FormValue("webhook_url")
-     req, _ := http.NewRequest("POST", endpoint, nil)
-     req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
+ var allowedDomains = map[string]bool{
+     "api.slack.com":    true,
+     "hooks.stripe.com": true,
+ }
+ 
+ func webhook(w http.ResponseWriter, r *http.Request) {
+     endpoint := r.FormValue("webhook_url")
+     parsed, err := url.Parse(endpoint)
+     if err != nil || !allowedDomains[parsed.Host] {
+         http.Error(w, "Untrusted domain", 400)
+         return
+     }
+     req, _ := http.NewRequest("POST", endpoint, body)
+     req.Header.Set("X-Webhook-Secret", userWebhookSecret)
      client := &http.Client{}
      client.Do(req)
  }

🟨 JavaScript Ver todo JavaScript detalles →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against a domain allowlist and never send internal credentials

+9 -3 javascript

- app.post('/webhook/register', async (req, res) => {
-   await fetch(req.body.webhookUrl, {
-     headers: { 'Authorization': `Bearer ${process.env.API_KEY}` }
+ const ALLOWED_DOMAINS = ['api.slack.com', 'hooks.stripe.com'];
+ 
+ app.post('/webhook/register', async (req, res) => {
+   const url = new URL(req.body.webhookUrl);
+   if (!ALLOWED_DOMAINS.includes(url.hostname)) {
+     return res.status(400).json({ error: 'Untrusted domain' });
+   }
+   await fetch(url, {
+     headers: { 'X-Webhook-Secret': req.body.webhookSecret }
    });
  });

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Insertion of Sensitive Information Into Sent Data. 3 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=201

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (3)

🐹 Go 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.

🟨 Javascript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🔷 Typescript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🐍 Python 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.envir

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Insertion of Sensitive Information Into Sent Data. Búscalos durante las revisiones de código y auditorías de seguridad.

🔴

when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e go-webhook-credential-exfiltration

🔍

Escanea tu base de código para Insertion of Sensitive Information Into Sent Data

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas