Intermediate Web — OWASP Top 10

Sensitive Data Exposure

Sensitive data exposure occurs when information such as passwords, credit cards, health records, or PII is stored or transmitted without adequate cryptographic protection. The attacker does not need to “hack” — they simply read what is already exposed.

Data in Transit — HTTP Without TLS

// Interception with Wireshark on a local network (educational purposes only)
// Request captured in plaintext:
POST http://app.example.com/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=john&password=mypassword123

Solution: enforce TLS. Redirect HTTP to HTTPS.

server {
    listen 80;
    return 301 https://$host$request_uri;
}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

TLS — Weak Configurations

Obsolete protocols — disable:
- SSLv2, SSLv3 (POODLE)
- TLS 1.0, TLS 1.1 (BEAST, POODLE-TLS)

Weak ciphers — avoid:
- RC4, DES, 3DES, EXPORT ciphers
- NULL ciphers

Secure configuration (nginx):
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

Data at Rest — Unencrypted Database

-- VULNERABLE: sensitive data in plaintext
CREATE TABLE patients (
    id INT PRIMARY KEY,
    name VARCHAR(100),
    ssn VARCHAR(20),       -- no encryption
    diagnosis TEXT         -- no encryption
);
-- Best practice: column-level encryption (PostgreSQL pgcrypto)
INSERT INTO patients (ssn, diagnosis)
VALUES (
    pgp_sym_encrypt('123-45-6789', 'encryption_key'),
    pgp_sym_encrypt('Hypertension', 'encryption_key')
);

Full Disk Encryption (FDE) protects against physical theft, but not against access through a compromised application.

Secrets in Source Code

# Search for accidentally committed secrets
git log --all --full-history -- '*.env'
git grep -i "password\|secret\|api_key\|token" HEAD

Tools: truffleHog, gitleaks, detect-secrets — run in pre-commit hooks and CI/CD.

Logging Sensitive Data

# WRONG — password appears in logs
logger.info(f"Login attempt: user={username}, password={password}")

# CORRECT — never log sensitive data
logger.info(f"Login attempt: user={username}")

Protection Checklist

  • Identify which data is sensitive (PII, financial, health).
  • Encrypt in transit: TLS 1.2+ with modern ciphers.
  • Encrypt at rest: AES-256 for files and databases.
  • Do not store what you do not need — minimal data collection.
  • Mask data in logs, debug screens, and error messages.
  • Ensure backups are also encrypted.
  • Revoke and rotate secrets regularly.