The application must not expose sensitive information in sections that are publicly accessible.
Some applications have sections such as web pages and endpoints that are publicly exposed or do not require an initiated session to be accessed. These sections should contain neither sensitive corporate information nor users' or employees' personal data. Furthermore, corporate sensitive information should not be exposed on personal social network accounts either.
CAPEC-116: Excavation. An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor. The product does not properly prevent a person’s private, personal information from being accessed by actors who either are not explicitly authorized to access the information or do not have the implicit consent of the person about whom the information is collected.
CWE-548: Exposure of Information Through Directory Listing. A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.
GDPR. Art. 5: Principles relating to processing of personal data.(1)(f). Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
ISO 27001:2013. Annex A - 18.1.3 Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V4.3 Other Access Control Considerations.(4.3.2) Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.
PCI DSS v3.2.1 - Requirement 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.