03 Mar, 2023

Insecure Storage of Sensitive Data

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Insecure Storage of Sensitive Data refers to the practice of storing confidential or sensitive information in a way that is vulnerable to unauthorized access, theft, or misuse. Sensitive data can include personally identifiable information (PII) such as names, addresses, social security numbers, financial data, medical records, and more.

When sensitive data is not stored securely, it can be easily accessed by unauthorized individuals, leading to serious consequences such as identity theft, financial fraud, or reputational damage. Some common examples of insecure storage of sensitive data include storing data in unencrypted files, using weak or easily guessed passwords, or storing data on unsecured servers or devices.

Example of vulnerable code on different programming languages:


in Python:

				
					import pickle

sensitive_data = {'username': 'example_user', 'password': 'password123'}
with open('data.pickle', 'wb') as f:
    pickle.dump(sensitive_data, f)

				
			


This code stores sensitive data in a pickle file without encrypting it, which can be easily accessed by anyone with access to the file.

• in Java:

				
					import java.io.File;
import java.io.FileWriter;

String sensitive_data = "username: example_user, password: password123";
File file = new File("data.txt");
FileWriter writer = new FileWriter(file);
writer.write(sensitive_data);
writer.close();

				
			


This code stores sensitive data in a plain text file without encrypting it, which can be easily accessed by anyone with access to the file.

• in PHP:

				
					<?php
$sensitive_data = array('username' => 'example_user', 'password' => 'password123');
file_put_contents('data.json', json_encode($sensitive_data));
?>

				
			


This code stores sensitive data in a JSON file without encrypting it, which can be easily accessed by anyone with access to the file.

Examples of exploitation Insecure Storage of Sensitive Data

Data Breaches:

Attackers can exploit insecure storage of sensitive data to steal confidential information such as login credentials, personal information, credit card details, and more. This information can then be used for identity theft, financial fraud, or other malicious activities.

Ransomware Attacks:

Attackers can use ransomware to encrypt sensitive data stored on a system, rendering it unusable until the victim pays a ransom. Insecure storage of sensitive data can make it easier for attackers to access and encrypt the data, increasing the likelihood of successful ransomware attacks.

Insider Threats:

Insiders with access to sensitive data can exploit insecure storage to steal or misuse confidential information for personal gain. This can include employees, contractors, or other trusted individuals who have access to sensitive data.

Social Engineering:

Attackers can use social engineering techniques to trick individuals into disclosing sensitive data, such as passwords or other confidential information. Insecure storage of sensitive data can make it easier for attackers to access this information and use it to gain the trust of their targets.

Privilege escalation techniques for Insecure Storage of Sensitive Data

Stealing Sensitive Credentials:

If an attacker can gain access to sensitive credentials, such as login credentials or API keys, stored insecurely on a system, they can use them to escalate their privileges and gain access to additional resources or systems.

Exploiting Weak Access Controls:

If sensitive data is stored insecurely and access controls are weak, an attacker may be able to gain access to this data and use it to escalate their privileges. For example, if an attacker can access a file containing admin credentials, they may be able to use those credentials to gain administrative access to a system.

Manipulating Sensitive Data:

An attacker may be able to manipulate sensitive data stored insecurely to gain privileges on a system. For example, if an attacker can modify a user’s permissions or roles in a database, they may be able to gain additional privileges and escalate their access.

Impersonation:

If an attacker can gain access to sensitive data stored insecurely, they may be able to use that data to impersonate a trusted user or system and gain additional privileges. For example, if an attacker can access a user’s session cookie or API key, they may be able to impersonate that user and access resources they would not normally be able to access.

General methodology and checklist for Insecure Storage of Sensitive Data

Methodology:

  1. Identify Sensitive Data: Identify the sensitive data that needs to be protected, such as personally identifiable information (PII), financial information, authentication credentials, and other confidential data.

  2. Identify Storage Locations: Identify all the locations where the sensitive data is stored, such as databases, file systems, memory, and network storage devices.

  3. Assess Storage Security: Assess the security measures currently in place for each storage location. This may include reviewing access controls, encryption methods, and other security features.

  4. Test for Vulnerabilities: Test each storage location for vulnerabilities such as weak access controls, unencrypted data, or other vulnerabilities that could be exploited to access sensitive data.

  5. Exploit Vulnerabilities: Attempt to exploit any vulnerabilities that are found to gain access to sensitive data.

  6. Report Findings: Report any vulnerabilities that are found, along with recommendations for improving the security of the storage locations. The report should include a risk assessment that considers the potential impact of a successful attack on the sensitive data.

  7. Verify Remediation: After any vulnerabilities are remediated, verify that the security measures have been effectively implemented and are sufficient to protect the sensitive data.

Checklist:

  1. Identify the types of sensitive data that are being stored, such as personal information, financial information, authentication credentials, or other confidential data.

  2. Identify the storage locations for the sensitive data, such as databases, file systems, network storage devices, or memory.

  3. Check if encryption is used for sensitive data in storage, and if it is implemented properly.

  4. Verify if access controls are properly configured for storage locations and if they limit access to authorized users.

  5. Check if the sensitive data is properly disposed of when it is no longer needed, such as by securely deleting or destroying it.

  6. Verify if secure communication protocols are used for transferring sensitive data, such as SSL/TLS.

  7. Check if sensitive data is backed up securely and if backups are encrypted and stored in secure locations.

  8. Check if default credentials or weak passwords are used to protect the sensitive data, and if they are used they should be changed.

  9. Verify if any sensitive data is exposed through error messages, logs, or other system output.

  10. Check if the storage locations are protected against unauthorized access or manipulation, such as by implementing intrusion detection or prevention mechanisms.

Tools set for exploiting Insecure Storage of Sensitive Data

Manual Tools:

  1. Burp Suite: A popular web application security testing tool that allows you to intercept and modify traffic between a browser and a web server. Burp Suite can be used to identify and exploit vulnerabilities in web applications that may lead to insecure storage of sensitive data.

  2. sqlmap: A tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications. By exploiting SQL injection vulnerabilities, attackers may be able to gain access to sensitive data stored in databases.

  3. Wireshark: A network protocol analyzer that allows you to capture and analyze network traffic. Wireshark can be used to identify sensitive data that is transmitted over the network in an unencrypted format.

  4. OpenSSL: A popular open-source library for implementing secure communication protocols, including SSL/TLS. OpenSSL can be used to test the security of encrypted storage locations by attempting to decrypt data without the proper encryption keys.

Automated Tools:

  1. Nessus: A vulnerability scanner that can identify vulnerabilities in network devices, servers, and applications. Nessus can be used to identify vulnerabilities that may lead to insecure storage of sensitive data.

  2. Nmap: A network mapping tool that can be used to identify open ports and services on a network. Nmap can be used to identify potential attack vectors that may be exploited to gain access to storage locations containing sensitive data.

  3. Metasploit: An exploitation framework that provides a wide range of automated tools and payloads for testing the security of systems and applications. Metasploit can be used to identify and exploit vulnerabilities that may lead to insecure storage of sensitive data.

  4. SQLninja: A tool that automates the process of exploiting SQL injection vulnerabilities in web applications. SQLninja can be used to extract sensitive data stored in databases.

  5. SQLMate: A tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications. By exploiting SQL injection vulnerabilities, attackers may be able to gain access to sensitive data stored in databases.

  6. DirBuster: A tool that performs brute-force attacks against web servers to discover hidden directories and files. DirBuster can be used to identify hidden storage locations that may contain sensitive data.

  7. Brutus: A tool that performs brute-force attacks against login pages and other authentication mechanisms. Brutus can be used to gain access to storage locations containing sensitive data that are protected by weak or default credentials.

  8. Hydra: A tool that performs brute-force attacks against various authentication protocols, including FTP, SSH, and HTTP. Hydra can be used to gain access to storage locations containing sensitive data that are protected by weak or default credentials.

  9. Wfuzz: A tool that performs brute-force attacks against web applications to discover hidden directories and files. Wfuzz can be used to identify hidden storage locations that may contain sensitive data.

  10. Acunetix: A web application scanner that can identify vulnerabilities in web applications, including those that may lead to insecure storage of sensitive data.

Browser Plugins:

  1. Tamper Data: A Firefox plugin that allows you to intercept and modify traffic between a browser and a web server. Tamper Data can be used to identify and exploit vulnerabilities in web applications that may lead to insecure storage of sensitive data.

  2. SQL Inject Me: A Firefox plugin that allows you to test for SQL injection vulnerabilities in web applications. SQL Inject Me can be used to identify vulnerabilities that may lead to insecure storage of sensitive data.

The Common Weakness Enumeration (CWE)

• CWE-312: Cleartext Storage of Sensitive Information – This weakness refers to storing sensitive information in cleartext form, making it easy for attackers to access and steal the information.

• CWE-313: Cleartext Storage in a File or on Disk – This weakness is similar to CWE-312, but specifically refers to storing sensitive information in a file or on disk in cleartext form.

• CWE-257: Storing Passwords in a Recoverable Format – This weakness refers to storing passwords in a recoverable format, such as encrypted or hashed, but with weak encryption or hashing algorithms that can be easily cracked by attackers.

• CWE-522: Insufficiently Protected Credentials – This weakness refers to storing credentials in a way that does not sufficiently protect them from attackers. This can include weak encryption or hashing, or storing credentials in cleartext form.

• CWE-200: Information Exposure – This weakness refers to exposing sensitive information, such as passwords, personal data, or financial information, to unauthorized parties.

• CWE-922: Insecure Storage of Sensitive Information in a Cookie – This weakness refers to storing sensitive information in a cookie, such as session IDs or authentication tokens, in an insecure manner that can be easily intercepted and stolen by attackers.

• CWE-525: Information Exposure Through an Error Message – This weakness refers to revealing sensitive information, such as file paths or error messages, in error messages or log files, which can be exploited by attackers.

• CWE-326: Inadequate Encryption Strength – This weakness refers to using weak encryption algorithms or insufficient key lengths, which can be easily cracked by attackers.

• CWE-257: Storing Passwords in a Recoverable Format – This weakness refers to storing passwords in a recoverable format, such as encrypted or hashed, but with weak encryption or hashing algorithms that can be easily cracked by attackers.

• CWE-311: Missing Encryption of Sensitive Data – This weakness refers to failing to encrypt sensitive data in transit or at rest, making it vulnerable to interception and theft by attackers.

CVES related to Insecure Storage of Sensitive Data

• CVE-2022-1044 – Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.

• CVE-2020-8482 – Insecure storage of sensitive information in ABB Device Library Wizard versions 6.0.X, 6.0.3.1 and 6.0.3.2 allows unauthenticated low privilege user to read file that contains confidential data

• CVE-2018-6599 – An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.

• CVE-2014-0647 – The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.

• CVE-2013-6986 – The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.

Insecure Storage of Sensitive Data exploits

  • SQL Injection: An attacker can inject SQL commands to extract sensitive data from the database, such as usernames and passwords.

  • Directory Traversal: An attacker can exploit a vulnerability that allows them to navigate to directories outside the webroot to access sensitive files or data.

  • Cross-Site Scripting (XSS): An attacker can inject malicious scripts into a web application, allowing them to steal sensitive data from the user or hijack their session.

  • Password Cracking: An attacker can use password cracking techniques to decrypt or brute force passwords that have been stored insecurely.

  • Man-in-the-Middle (MITM) Attack: An attacker can intercept and read sensitive data being transmitted between a user and a server.

  • Unsecured HTTP: An attacker can intercept sensitive data being transmitted over an unsecured HTTP connection.

  • Insecure Cookies: An attacker can exploit vulnerabilities in cookies that store sensitive data, such as session IDs or authentication tokens.

  • Social Engineering: An attacker can trick users into giving up sensitive data, such as passwords, through phishing emails or other social engineering tactics.

  • Misconfigured Cloud Storage: An attacker can exploit misconfigured cloud storage to gain access to sensitive data stored in the cloud.

  • Insufficient Access Controls: An attacker can exploit insufficient access controls to gain access to sensitive data that they should not have access to.

Practicing in test for Insecure Storage of Sensitive Data

Set up a vulnerable web application: Create a vulnerable web application that stores sensitive data in an insecure manner, and use it to test various attack scenarios.

Use a web vulnerability scanner: Use a web vulnerability scanner like OWASP ZAP or Burp Suite to scan for vulnerabilities related to insecure storage of sensitive data.

Perform manual testing: Use manual testing techniques to check for vulnerabilities related to insecure storage of sensitive data, such as inspecting cookies, analyzing HTTP traffic, and checking for weak encryption algorithms.

Try different attack scenarios: Test various attack scenarios, such as SQL injection, directory traversal, and cross-site scripting, to see if sensitive data can be extracted or manipulated.

Explore cloud storage configurations: If the application uses cloud storage, test different configurations to see if any misconfigurations can be exploited to gain access to sensitive data.

Use password cracking tools: Use password cracking tools like John the Ripper or Hashcat to attempt to crack passwords that have been stored in an insecure manner.

Practice social engineering: Use social engineering techniques to attempt to trick users into giving up sensitive data, such as passwords or authentication tokens.

Test backup and recovery processes: Test backup and recovery processes to ensure that sensitive data is not compromised in the event of a data breach.

For study Insecure Storage of Sensitive Data

OWASP Top 10: is a list of the most critical web application security risks, including insecure storage of sensitive data. This resource provides a great overview of the issue and offers guidance on how to mitigate the risks.

CWE: is a community-developed list of common software weaknesses and vulnerabilities. The CWE website provides a list of CWEs related to insecure storage of sensitive data, which can help you better understand the issue and how to prevent it.

Web Application Hacker’s Handbook: is a comprehensive guide to testing web applications for security vulnerabilities. It includes a section on insecure storage of sensitive data, which provides detailed information on the issue and how to test for it.

OWASP ZAP: is a popular open-source web application security scanner that can be used to test for insecure storage of sensitive data. It includes a variety of features and tools to help you identify and exploit vulnerabilities related to insecure storage.

Burp Suite: is another popular web application security scanner that includes features for testing for insecure storage of sensitive data. It can be used to analyze HTTP traffic, identify cookies that store sensitive data, and test for vulnerabilities related to backup and recovery processes.

YouTube tutorials: there are many YouTube tutorials that cover insecure storage of sensitive data and how to test for it. These can be a great resource for visual learners who want to see the issue in action.

Books with review of Insecure Storage of Sensitive Data

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu: This book provides an introduction to web application security, including a chapter on securing sensitive data.

“The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski: This book covers a wide range of web application security topics, including a chapter on handling sensitive data.

“Web Security for Developers: Real Threats, Practical Defense” by Malcolm McDonald and James D. Brown: This book provides a practical guide to web application security for developers, including a chapter on securing sensitive data.

“Hacking Exposed Web Applications: Web Application Security Secrets and Solutions” by Joel Scambray, Vincent Liu, and Caleb Sima: This book is a comprehensive guide to web application security, including a chapter on securing data.

“The Basics of Web Hacking: Tools and Techniques to Attack the Web” by Josh Pauli: This book provides an introduction to web hacking, including a chapter on exploiting vulnerabilities related to sensitive data.

“Security for Web Developers: Using JavaScript, HTML, and CSS” by John Paul Mueller: This book provides guidance on how to build secure web applications, including a chapter on securing sensitive data.

“Real-World Bug Hunting: A Field Guide to Web Hacking” by Peter Yaworski: This book provides real-world examples of web vulnerabilities, including a chapter on exploiting vulnerabilities related to sensitive data.

“Web Application Security, A Complete Guide – 2021 Edition” by Gerardus Blokdyk: This book provides a comprehensive guide to web application security, including a chapter on securing sensitive data.

“Cybersecurity: The Beginner’s Guide: A comprehensive guide to getting started in cybersecurity” by Dr. Erdal Ozkaya: This book provides an introduction to cybersecurity, including a chapter on securing sensitive data.

“Practical Web Application Security” by Glenn ten Cate: This book provides practical guidance on securing web applications, including a chapter on securing sensitive data.

List of payloads Insecure Storage of Sensitive Data

  1. SQL Injection Payloads: can be used to extract sensitive data from a database. Payloads can be crafted to retrieve data from specific database tables or columns.

  2. Directory Traversal Payloads: can be used to read files from the server. Payloads can be crafted to read sensitive data from files on the server.

  3. Cross-Site Scripting (XSS) Payloads: can be used to steal sensitive data from a user’s browser. Payloads can be crafted to steal cookies, session IDs, and other sensitive information.

  4. Remote File Inclusion (RFI) Payloads: can be used to include remote files on the server, which can be used to steal sensitive data.

  5. Server-Side Request Forgery (SSRF) Payloads: can be used to make requests to internal systems or services, which can be used to steal sensitive data.

  6. XML External Entity (XXE) Payloads: can be used to read sensitive data from files on the server, such as configuration files.

  7. File Upload Payloads: can be used to upload malicious files that can be used to steal sensitive data or gain access to the server.

  8. Path Traversal Payloads: can be used to read files from the server, including sensitive data.

  9. Insecure Object References Payloads: can be used to access sensitive data by manipulating object IDs.

  10. Brute Force Password Guessing Payloads: can be used to guess passwords and gain access to sensitive data.

How to be protected from Insecure Storage of Sensitive Data

  1. Encryption: Use strong encryption algorithms to encrypt sensitive data both in transit and at rest.

  2. Access Control: Implement proper access controls to limit who can access sensitive data, and ensure that only authorized users have access to the data.

  3. Secure Storage: Store sensitive data in a secure location, such as a locked cabinet, safe, or encrypted storage system.

  4. Data Retention: Develop and enforce policies for how long sensitive data should be retained, and how it should be securely destroyed when no longer needed.

  5. Regular Audits: Regularly review and audit the storage of sensitive data to identify any vulnerabilities or weaknesses.

  6. Redaction: Remove or redact sensitive data that is no longer needed, to minimize the risk of data breaches.

  7. Patching and Updates: Keep all software and systems up to date with the latest security patches and updates to minimize the risk of vulnerabilities being exploited.

  8. Training: Provide regular training and awareness programs for employees to help them understand the importance of secure data storage, and to identify and report any security issues.

  9. Data Classification: Classify data based on its sensitivity and importance, and apply appropriate security measures to each category.

  10. Security Controls: Implement technical security controls, such as firewalls, intrusion detection and prevention systems, and anti-virus software, to protect against attacks and unauthorized access to sensitive data.

Conclusion

Insecure storage of sensitive data is a significant threat to organizations of all sizes, as it can result in data breaches, theft of intellectual property, financial losses, and damage to reputation. It is important for organizations to implement best practices and mitigations to protect against insecure storage of sensitive data, including encryption, access control, secure storage, data retention, regular audits, redaction, patching and updates, training, data classification, and security controls. By implementing these measures, organizations can significantly reduce the risk of data breaches and protect their sensitive data from unauthorized access and theft. It is also important for individuals to be aware of the risks associated with insecure storage of sensitive data, and to take steps to protect their personal information and privacy. Overall, a comprehensive approach to security and risk management is necessary to address the threat of insecure storage of sensitive data and protect against cyber attacks and data breaches.

Other Services

Ready to secure?

Let's get in touch