-
-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
commonlib: add more details to "Information Leakage" vulnerability #5834
base: main
Are you sure you want to change the base?
Conversation
Adds more solutions and reference links to Information Leakage vulnerability. Signed-off-by: joshua530 <[email protected]>
All contributors have signed the CLA ✍️ ✅ |
I have read the CLA Document and I hereby sign the CLA |
CHANGELOG.md should also be updated. I'm sure if you scroll a bit you can find related previous entries. |
Adds more solutions and reference links to Information Leakage vulnerability. Signed-off-by: joshua530 <[email protected]>
My apologies for forgetting. I've made the changes. |
Note for the team - the vulnerabilities.xml file was originally imported from the WASC website. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor item
* Store sensitive data only if you have to. | ||
* Implement checks for sensitive information in your devops pipeline. Steps that could be taken include stripping developer comments, removing debugging information and sensitive logs, as well as making error messages less verbose. | ||
* In situations where the sensitive information must be used, for instance, backend microservices, ensure trust boundaries are appropriately drawn. Example: set up an isolated, well secured kubernetes cluster with well configured access controls, then only grant access to authorized clients. | ||
* In situations where error messages need to be returned to the user, use messages that are as generic as possible eg "invalid credentials" instead of "invalid username" or "invalid password" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a period for consistency
Adds more solutions and reference links to Information Leakage vulnerability.
Part of zaproxy/zaproxy#8056