Secret Tokens Leak
| Details |
|---|
Severity: Medium
Test Name: Secret Tokens
Test ID: secret_tokens
Test Name: Secret Tokens
Test ID: secret_tokens
| Description |
|---|
This vulnerability allows an attacker to access secret tokens that should not be publicly available. Secret tokens, passwords, API keys, and other credentials are used in authentication processes and allow access to websites, applications, and APIs. When exposed in application responses or source code, they can lead to unauthorized access and other security risks.
Bright scans entry point responses for known secret patterns such as cloud provider keys, OAuth tokens, webhook URLs, and database connection strings. Each distinct leaked token is reported as a separate finding.
| Impact |
|---|
This vulnerability allows an attacker to:
- Gain privileges or assume identity
- Leak secrets
| Locations |
|---|
- The issue can be found in HTTP responses on the server side.
- The issue can be found in page content (including rendered HTML and client-side scripts) on the client side.
| Remediation suggestions |
|---|
- Ensure that secret tokens are not stored in the source code and are not publicly available.
- Use secure storage mechanisms such as environment variables or secure storage services to store secret tokens.
- Rotate secret tokens regularly to reduce the risk of unauthorized access.
| Classifications |
|---|
- CWE-200
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
| References |
|---|
Updated 17 days ago
Did this page help you?