# Insertion of Sensitive Information Into Sent Data (CWE-201) The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor. **Stack:** JavaScript - Prevalence: मध्यम 3 भाषाएँ कवर की गईं - Impact: क्रिटिकल 3 क्रिटिकल गंभीरता वाले नियम - Prevention: प्रलेखित 3 फिक्स उदाहरण **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them. ## Prevention 1 Shoulder डिटेक्शन नियमों पर आधारित Insertion of Sensitive Information के लिए रोकथाम रणनीतियाँ। ### JavaScript Validate webhook URLs against a domain allowlist and never send internal credentials ## Warning Signs - [CRITICAL] when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e ## Consequences - एप्लिकेशन डेटा पढ़ना - विशेषाधिकार प्राप्त करना ## Mitigations - बाहरी पक्षों को भेजे जा रहे सभी डेटा की संवेदनशील जानकारी के लिए समीक्षा करें - डेटा वर्गीकरण लागू करें और सुनिश्चित करें कि संवेदनशील डेटा उचित रूप से सुरक्षित हो - संवेदनशील जानकारी प्रसारित करने के लिए सुरक्षित चैनलों का उपयोग करें ## Detection - Total rules: 3 - Critical: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro - Remediation: 1. Never send internal credentials to user-controlled endpoints 2. Validate webhook URLs against a strict allowlist of trusted domains 3. Use webhook secrets for authentication instead of sending API keys ```javascript // SAFE: Validate webhook URL against allowlist const ALLOWED_WEBHOOK_DOMAINS = ['api.slack.com', 'hooks.stripe.com']; const webhookUrl = new URL(req.body.webhookUrl); if (!ALLOWED_WEBHOOK_DOMAINS.includes(webhookUrl.hostname)) { return res.status(400).json({ error: 'Untrusted webhook domain' }); } // SAFE: Use webhook-specific secret, not internal API key await fetch(webhookUrl, { headers: { 'X-Webhook-Secret': req.body.webhookSecret } }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-201/credential-exfiltration ### Typescript (1 rules) - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro - Remediation: 1. Never send internal credentials to user-controlled endpoints 2. Validate webhook URLs against a strict allowlist of trusted domains 3. Use webhook secrets for authentication instead of sending API keys ```javascript // SAFE: Validate webhook URL against allowlist const ALLOWED_WEBHOOK_DOMAINS = ['api.slack.com', 'hooks.stripe.com']; const webhookUrl = new URL(req.body.webhookUrl); if (!ALLOWED_WEBHOOK_DOMAINS.includes(webhookUrl.hostname)) { return res.status(400).json({ error: 'Untrusted webhook domain' }); } // SAFE: Use webhook-specific secret, not internal API key await fetch(webhookUrl, { headers: { 'X-Webhook-Secret': req.body.webhookSecret } }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-201/credential-exfiltration