# Insertion of Sensitive Information Into Sent Data (CWE-201)

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

**Stack:** Go

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: क्रिटिकल 3 क्रिटिकल गंभीरता वाले नियम
- Prevention: प्रलेखित 3 फिक्स उदाहरण

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

## Prevention

1 Shoulder डिटेक्शन नियमों पर आधारित Insertion of Sensitive Information के लिए रोकथाम रणनीतियाँ।

### Go

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

## Warning Signs

- [CRITICAL] when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled e

## Consequences

- एप्लिकेशन डेटा पढ़ना
- विशेषाधिकार प्राप्त करना

## Mitigations

- बाहरी पक्षों को भेजे जा रहे सभी डेटा की संवेदनशील जानकारी के लिए समीक्षा करें
- डेटा वर्गीकरण लागू करें और सुनिश्चित करें कि संवेदनशील डेटा उचित रूप से सुरक्षित हो
- संवेदनशील जानकारी प्रसारित करने के लिए सुरक्षित चैनलों का उपयोग करें

## Detection

- Total rules: 3
- Critical: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.
  - Remediation: 1. Never send internal credentials to user-controlled endpoints
2. Validate webhook URLs against a strict allowlist of trusted domains
3. Use webhook secrets for authentication instead of sending API keys

```go
allowedDomains := map[string]bool{
    "api.slack.com":    true,
    "hooks.stripe.com": true,
}

parsed, err := url.Parse(webhookURL)
if err != nil || !allowedDomains[parsed.Host] {
    return errors.New("untrusted webhook domain")
}

// Use webhook-specific secret, not internal API key
req, _ := http.NewRequest("POST", webhookURL, body)
req.Header.Set("X-Webhook-Secret", userWebhookSecret)
client.Do(req)
```

Learn more: https://shoulder.dev/learn/go/cwe-201/credential-exfiltration