Brief description of sensitive information leakage
Attack methods
Common attack methods are mainly scanning applications to obtain sensitive data
Causes of the vulnerability:
Application maintenance or developers inadvertently upload sensitive data, such as leaked github files;
Incorrect permission settings for sensitive data files, such as leaked database backup files in the website directory;
Weaknesses in network protocols and algorithms themselves, such as telent, ftp, md5, etc.
The impact of the vulnerability is that
applications and websites are modified,
personal information and company information are leaked, and are used to sell for profit.
Vulnerability protection
: For GitHub leaks, regularly scan the warehouse.
Regularly scan the application website directory.
Use strong network protocols and algorithms.
Implement Transport Layer Security (TLS) to protect data in transit
Avoid storing sensitive data where possible, or storing it for longer than necessary
Encrypt all data that needs to be stored at rest
Force encryption via HTTP Strict Transport Security (HSTS) or similar directives
Do not cache User responses
containing sensitive data Classify data (processing, storage, or transmission) and apply controls based on classification
Implement strong standard algorithms, protocols, and keys
using hash functions such as brcrypt, scrypt, Argon2, PBKDF2, which are always Salt and hash passwords
icanseeyourABC
According to the prompt, find abc and directly access abc.php
Login successfully
Check the source code on the login interface and find the test account
lili/123456
Can also log in successfully