Calling all leaders in quality. This is for you.

Sensitive Data Exposure

Personally Identifiable Information (PII) and stereotypically sensitive information (relating to a person's political opinions, race, sexual orientation, religious or philosophical beliefs and others) are often grouped in the security vulnerability “Sensitive Data Exposure”.

Sensitive Data Exposure occurs when anybody holding your information (an individual, company or charity) is in one of these three scenarios:

Unknowingly exposes sensitive data, which can be accidental or through unauthorised access - a confidentiality breach
Has a security incident which results in the unauthorised or accidental alteration of sensitive data - an integrity breach
Has a security incident which leads to the temporary or permanent unauthorised or accidental loss of access to, or destruction of sensitive data - an availability breach

Data exposure can happen from a variety of scenarios, which means identifying and testing them can be complex, but it is often a requirement of the EU/UK General Data Protection Regulation (GDPR) and other regulations for financial data protection, such as PCI Data Security Standard (PCI DSS).

Common attack vectors include SQL injection, cross-site scripting (XSS), insecure direct object references, and improper error handling, which indicates testing should validate data sanitisation, encryption, access controls, data masking and error handling. Attackers may exploit these vulnerabilities to gain unauthorized access to databases, intercept sensitive communications, or manipulate data transmission, so companies should also promote security awareness training, particularly to individuals who can facilitate data access and/or movement.

Source: https://owasp.org/www-project-top-ten/

Emily O'Connor

7th August 2025

Analogy:
You write down your ATM PIN on a sticky note… and paste it on the machine. Then tell yourself, “It’s fine, it’s in small font.”
What’s happening:
Sensitive info—passwords, credit cards, tokens—are getting exposed in logs, error messages, or raw API responses. Often by accident. Always dangerous.
Test Like This:
Dig into API payloads, browser dev tools, or error pages. I had once found very sensitive data using Inspect Element because a developer had hardcoded some checks.

Hanisha Arora

7th August 2025

Sensitive Data Exposure is a common web security vulnerability where applications expose sensitive information such as passwords, credit card numbers, health records, or personal information due to poor security practices.

Examples:

Data sent over HTTP instead of HTTPS.
Passwords stored in plain text.
Weak or outdated encryption (e.g: using MD5 or SHA-1) instead use: bcrypt, scrypt, or Argon2 & salt.
Data leakage via verbose error messages, logs, or browser storage.


❌ Insecure: storing plaintext password

user_data = {
    "username": "aiman",
    "password": "mysecretpassword"
}

✅ Secure: hash + salt the password

import bcrypt, hashlib

password = "mysecretpassword"
salt = bcrypt.gensalt()
hashed = bcrypt.hashpw(password, salt)

username = "aiman"
hashed_username = hashlib.sha256(username.encode()).hexdigest()

I have known this vulnerability, taken the solution from internet

Aiman B T Syed

7th August 2025

Add Definition

The Future of Intelligent Quality is Here

Smarter testing starts now with Sembi IQ, bringing AI-powered enhancements to TestRail, Xray, and Designwise.

Explore MoT

Xray AI in action: Test Case & Model Generation for modern QA teams

Wed, 17 Sep

with Ivan Fillipov, Solution Architect at Xray

MoT Software Testing Essentials Certificate

Boost your career in software testing with the MoT Software Testing Essentials Certificate. Learn essential skills, from basic testing techniques to advanced risk analysis, crafted by industry experts.

Leading with Quality

A one-day educational experience to help business lead with expanding quality engineering and testing practices.

This Week in Testing

Debrief the week in Testing via a community radio show hosted by Simon Tomes and members of the community