Insertion of Sensitive Information Into Sent Data (CWE-201)

Insertion of Sensitive Information Into Sent Data

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

Prévalence

Moyenne

3 langages couverts

Impact

Critique

3 règles de sévérité critique

Prévention

Documentée

3 exemples de correctifs

2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Insertion of Sensitive Information basées sur 3 règles de détection Shoulder.

🐹 Go Tout voir Go détails →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

+14 -4 go

- func webhook(w http.ResponseWriter, r *http.Request) {
-     endpoint := r.FormValue("webhook_url")
-     req, _ := http.NewRequest("POST", endpoint, nil)
-     req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
+ var allowedDomains = map[string]bool{
+     "api.slack.com":    true,
+     "hooks.stripe.com": true,
+ }
+ 
+ func webhook(w http.ResponseWriter, r *http.Request) {
+     endpoint := r.FormValue("webhook_url")
+     parsed, err := url.Parse(endpoint)
+     if err != nil || !allowedDomains[parsed.Host] {
+         http.Error(w, "Untrusted domain", 400)
+         return
+     }
+     req, _ := http.NewRequest("POST", endpoint, body)
+     req.Header.Set("X-Webhook-Secret", userWebhookSecret)
      client := &http.Client{}
      client.Do(req)
  }

🟨 JavaScript Tout voir JavaScript détails →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against a domain allowlist and never send internal credentials

+9 -3 javascript

- app.post('/webhook/register', async (req, res) => {
-   await fetch(req.body.webhookUrl, {
-     headers: { 'Authorization': `Bearer ${process.env.API_KEY}` }
+ const ALLOWED_DOMAINS = ['api.slack.com', 'hooks.stripe.com'];
+ 
+ app.post('/webhook/register', async (req, res) => {
+   const url = new URL(req.body.webhookUrl);
+   if (!ALLOWED_DOMAINS.includes(url.hostname)) {
+     return res.status(400).json({ error: 'Untrusted domain' });
+   }
+   await fetch(url, {
+     headers: { 'X-Webhook-Secret': req.body.webhookSecret }
    });
  });

3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Insertion of Sensitive Information Into Sent Data. 3 règles.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=201

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (3)

🐹 Go 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.

🟨 Javascript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🔷 Typescript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🐍 Python 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.envir

4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Insertion of Sensitive Information Into Sent Data. Recherchez-les lors des revues de code et des audits de sécurité.

🔴

when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e go-webhook-credential-exfiltration

🔍

Scannez votre base de code pour Insertion of Sensitive Information Into Sent Data

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles