Insertion of Sensitive Information Into Sent Data (CWE-201)

Insertion of Sensitive Information Into Sent Data

The product sends data to another actor, but this data contains sensitive information that should not be accessible to that actor.

An attacker may be able to intercept or receive data that contains sensitive information, such as credentials, tokens, or internal system details, that were not intended for them.

普遍性

中

覆盖 3 种语言

影响

关键

3 条严重级别为关键的规则

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Insertion of Sensitive Information 预防策略。

🐹 Go 查看全部 Go 详情 →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against an allowlist and never send internal credentials to user-controlled endpoints

+14 -4 go

- func webhook(w http.ResponseWriter, r *http.Request) {
-     endpoint := r.FormValue("webhook_url")
-     req, _ := http.NewRequest("POST", endpoint, nil)
-     req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
+ var allowedDomains = map[string]bool{
+     "api.slack.com":    true,
+     "hooks.stripe.com": true,
+ }
+ 
+ func webhook(w http.ResponseWriter, r *http.Request) {
+     endpoint := r.FormValue("webhook_url")
+     parsed, err := url.Parse(endpoint)
+     if err != nil || !allowedDomains[parsed.Host] {
+         http.Error(w, "Untrusted domain", 400)
+         return
+     }
+     req, _ := http.NewRequest("POST", endpoint, body)
+     req.Header.Set("X-Webhook-Secret", userWebhookSecret)
      client := &http.Client{}
      client.Do(req)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Validate webhook URLs against a domain allowlist and never send internal credentials

+9 -3 javascript

- app.post('/webhook/register', async (req, res) => {
-   await fetch(req.body.webhookUrl, {
-     headers: { 'Authorization': `Bearer ${process.env.API_KEY}` }
+ const ALLOWED_DOMAINS = ['api.slack.com', 'hooks.stripe.com'];
+ 
+ app.post('/webhook/register', async (req, res) => {
+   const url = new URL(req.body.webhookUrl);
+   if (!ALLOWED_DOMAINS.includes(url.hostname)) {
+     return res.status(400).json({ error: 'Untrusted domain' });
+   }
+   await fetch(url, {
+     headers: { 'X-Webhook-Secret': req.body.webhookSecret }
    });
  });

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Insertion of Sensitive Information Into Sent Data模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=201

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐹 Go 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.

🟨 Javascript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🔷 Typescript 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': pro

🐍 Python 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL

Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.envir

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Insertion of Sensitive Information Into Sent Data漏洞。在代码审查和安全审计中注意查找。

🔴

when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled e go-webhook-credential-exfiltration

🔍

扫描你的代码库: Insertion of Sensitive Information Into Sent Data

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则