Insertion of Sensitive Information Into Sent Data (CWE-201)

Insertion of Sensitive Information Into Sent Data

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

Prevalence

Medium

3 languages covered

Impact

Critical

3 critical-severity rules

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Insertion of Sensitive Information based on 3 Shoulder detection rules.

🐹 Go View all Go details →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

+14 -4 go

- func webhook(w http.ResponseWriter, r *http.Request) {
-     endpoint := r.FormValue("webhook_url")
-     req, _ := http.NewRequest("POST", endpoint, nil)
-     req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
+ var allowedDomains = map[string]bool{
+     "api.slack.com":    true,
+     "hooks.stripe.com": true,
+ }
+ 
+ func webhook(w http.ResponseWriter, r *http.Request) {
+     endpoint := r.FormValue("webhook_url")
+     parsed, err := url.Parse(endpoint)
+     if err != nil || !allowedDomains[parsed.Host] {
+         http.Error(w, "Untrusted domain", 400)
+         return
+     }
+     req, _ := http.NewRequest("POST", endpoint, body)
+     req.Header.Set("X-Webhook-Secret", userWebhookSecret)
      client := &http.Client{}
      client.Do(req)
  }

🟨 JavaScript View all JavaScript details →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against a domain allowlist and never send internal credentials

+9 -3 javascript

- app.post('/webhook/register', async (req, res) => {
-   await fetch(req.body.webhookUrl, {
-     headers: { 'Authorization': `Bearer ${process.env.API_KEY}` }
+ const ALLOWED_DOMAINS = ['api.slack.com', 'hooks.stripe.com'];
+ 
+ app.post('/webhook/register', async (req, res) => {
+   const url = new URL(req.body.webhookUrl);
+   if (!ALLOWED_DOMAINS.includes(url.hostname)) {
+     return res.status(400).json({ error: 'Untrusted domain' });
+   }
+   await fetch(url, {
+     headers: { 'X-Webhook-Secret': req.body.webhookSecret }
    });
  });

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Insertion of Sensitive Information Into Sent Data patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=201

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐹 Go 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY")) client.Do(req) ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint.

🟨 Javascript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': process.env.INTERNAL_API_KEY } }); ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint.

🔷 Typescript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': process.env.INTERNAL_API_KEY } }); ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint.

🐍 Python 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.environ['INTERNAL_API_KEY']}) ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Insertion of Sensitive Information Into Sent Data vulnerabilities. Look for these during code reviews and security audits.

🔴

when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e go-webhook-credential-exfiltration

🔍

Scan your codebase for Insertion of Sensitive Information Into Sent Data

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules