🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Secret Disclosure

Secrets (API keys, private keys, etc) are exposed in the code repository or source code. Unnecessary exposure of sensitive data increase likelihood of the system compromise.

Remediation

  • Immediately reset the disclosed secrets
  • Remove any instances of hardcoded secrets from the code
  • Refactor the app to use environment variables or secret files (mounted to the container at run time).
  • As the secret has been exposed for a prolonged time, it may have been misused to create persistence (e.g. creating another malicious keys). Create a IoC and monitor for usage of all the disclosed secrets. Monitor for suspicious authenticated activities especially privilege actions
  • Remove secrets from the git history using a tool like git filter-repo or BFG Repo-Cleaner

Metadata

  • Severity: high
  • Slug: secret-disclosure

CWEs

  • 212: Improper Removal of Sensitive Information Before Storage or Transfer
  • 798: Use of Hard-coded Credentials

OWASP

  • A05:2021: Security Misconfiguration
  • A07:2021: Identification and Authentication Failures

Available Labs

Open Csharp labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.