Insertion of Sensitive Information Into Sent Data (CWE-201)

Insertion of Sensitive Information Into Sent Data

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

보급률

보통

3개 언어 지원

영향

치명적

3개의 치명적 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 Insertion of Sensitive Information 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

+14 -4 go

- func webhook(w http.ResponseWriter, r *http.Request) {
-     endpoint := r.FormValue("webhook_url")
-     req, _ := http.NewRequest("POST", endpoint, nil)
-     req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
+ var allowedDomains = map[string]bool{
+     "api.slack.com":    true,
+     "hooks.stripe.com": true,
+ }
+ 
+ func webhook(w http.ResponseWriter, r *http.Request) {
+     endpoint := r.FormValue("webhook_url")
+     parsed, err := url.Parse(endpoint)
+     if err != nil || !allowedDomains[parsed.Host] {
+         http.Error(w, "Untrusted domain", 400)
+         return
+     }
+     req, _ := http.NewRequest("POST", endpoint, body)
+     req.Header.Set("X-Webhook-Secret", userWebhookSecret)
      client := &http.Client{}
      client.Do(req)
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against a domain allowlist and never send internal credentials

+9 -3 javascript

- app.post('/webhook/register', async (req, res) => {
-   await fetch(req.body.webhookUrl, {
-     headers: { 'Authorization': `Bearer ${process.env.API_KEY}` }
+ const ALLOWED_DOMAINS = ['api.slack.com', 'hooks.stripe.com'];
+ 
+ app.post('/webhook/register', async (req, res) => {
+   const url = new URL(req.body.webhookUrl);
+   if (!ALLOWED_DOMAINS.includes(url.hostname)) {
+     return res.status(400).json({ error: 'Untrusted domain' });
+   }
+   await fetch(url, {
+     headers: { 'X-Webhook-Secret': req.body.webhookSecret }
    });
  });

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Insertion of Sensitive Information Into Sent Data 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=201

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.

🟨 Javascript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🔷 Typescript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🐍 Python 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.envir

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Insertion of Sensitive Information Into Sent Data 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🔴

when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e go-webhook-credential-exfiltration

🔍

코드베이스를 스캔하세요: Insertion of Sensitive Information Into Sent Data

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기