Quiz Entry - updated: 2026.06.26
What does OWASP A3 — Sensitive Data Exposure cover, and how should you defend against it?
Attackers stealing keys, passwords, business secrets, or personal data — from the server, during transmission, or from the client.
The category covers any case where sensitive data is stored, transmitted, or cached without adequate protection. The classic example is plaintext FTP: login: anonymous / password: <your id> was sent in the clear in the 90s, and the modern equivalent is unencrypted HTTP carrying session cookies on hotel Wi-Fi.
Defenses:
- Don't store/transmit what you don't need — data you never collected can't be leaked.
- Classify data by sensitivity and protect accordingly (PII, payment card data, secrets all have different requirements).
- Encrypt sensitive data at rest.
- Hash passwords with a slow password-hashing function (bcrypt, scrypt, Argon2) using salt and ideally pepper — never store passwords reversibly.
- Encrypt in transit: FTP → SFTP, HTTP → HTTPS, telnet → SSH. Verify the certificate.
- Use strong, modern ciphers. Disable SSLv3, TLS 1.0/1.1, RC4, MD5-signed certs.
- Don't cache sensitive data on the client — use
Cache-Control: no-store.
Tip: Sensitive data exposure rarely happens because crypto was broken — it happens because crypto wasn't used (or wasn't checked). Hit-rate: missing Secure flag on cookies, missing HSTS, ancient TLS configs.