Skip to content

Add sensitive data #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add sensitive data #3

wants to merge 1 commit into from

Conversation

appsec-player
Copy link

Thank you for submitting a pull request to the WebGoat!

@idanelor idanelor force-pushed the test_2_sensitive_data branch from 8a74965 to e3c5ea5 Compare September 14, 2022 12:07
@appsec-playground appsec-playground deleted a comment from apiiro-staging bot Sep 14, 2022
@idanelor idanelor force-pushed the test_2_sensitive_data branch from e3c5ea5 to e8c1f35 Compare September 14, 2022 13:32
@appsec-playground appsec-playground deleted a comment from apiiro-staging bot Sep 14, 2022
@apiiro-staging
Copy link

5 material changes identified by Apiiro:
WORKFLOW - 1 · API is Added:
A new API is added!
Run a security code review. Make sure:

  1. Input Validation
  2. Authorization
  3. Authentication
  4. Run a code review make sure there aren't any flaws

WORKFLOW - 3 · Sensitive Data Involves in API:
Sensitive data is added to the code repo. It might expose a compliance risk. Make sure it is not written to logs

  • PII exposed by an API (1)
  • PII involved in an API (1)
  • PII data written to logs (2)
    • src/main/java/org/owasp/webgoat/lessons/apiiro/utils/UserDetails.java - Line: #13
    • src/main/java/org/owasp/webgoat/lessons/apiiro/utils/UserDetails.java - Line: #13
      View in Apiiro

API Changes

  • ⚠ New API GET /access-control/list-users (SensitiveAPILesson.java:64) that is sensitive, unauthenticated and exposing sensitive data
    • ⚠ Sensitive data of type PII involved in the flow of an API method
    • ⚠ Sensitive data of type PII exposed by an API method

Data Model Changes

  • ⚠ Sensitive data field firstName (UserDetails.java:13) that is involved in API flow and exposed in API - part of UserDetails data model
    • ⚠ Written to log
  • ⚠ Sensitive data field phoneNumber (UserDetails.java:13) that is involved in API flow and exposed in API - part of UserDetails data model
    • ⚠ Written to log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@appsec-player