Storage of Sensitive Data in a Mechanism without Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-921: Storage of Sensitive Data in a Mechanism without Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Authorization headers are being added to HTTP requests without setting the ‘sensitive’ flag using ‘set_sensitive(true)’. This means sensitive credentials like API keys or tokens may not be properly protected during logging or error handling.
Impact#
If sensitive headers are not marked as such, their values could be accidentally exposed in logs, debugging output, or error messages. This can lead to credential leakage, allowing attackers to gain unauthorized access to protected resources or user accounts.