testing-for-sensitive-data-exposure

Featured

Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, and unprotected data transmission during security assessments.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing for Sensitive Data Exposure ## When to Use - During authorized penetration tests when assessing data protection controls - When evaluating applications for GDPR, PCI DSS, HIPAA, or other data protection compliance - For identifying leaked API keys, credentials, tokens, and secrets in application responses - When testing whether sensitive data is properly encrypted in transit and at rest - During security assessments of APIs that handle PII, financial data, or health records ## Prerequisites - **Authorization**: Written penetration testing agreement with data handling scope - **Burp Suite Professional**: For intercepting and analyzing responses for sensitive data - **trufflehog**: Secret scanning tool (`pip install trufflehog`) - **gitleaks**: Git repository secret scanner (`go install github.com/gitleaks/gitleaks/v8@latest`) - **curl/httpie**: For manual endpoint testing - **Browser DevTools**: For examining local storage, session storage, and cached data - **testssl.sh**: TLS configuration testing tool ## Workflow ### Step 1: Scan for Secrets in Client-Side Code Search JavaScript files, HTML source, and other client-side resources for exposed secrets. ```bash # Download and search JavaScript files for secrets curl -s "https://target.example.com/" | \ grep -oP 'src="[^"]*\.js[^"]*"' | \ grep -oP '"[^"]*"' | tr -d '"' | while read js; do echo "=== Scanning: $js ===" # Handle relative URLs if [[ "$js" == /* ]]; then curl -s "https://targe...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

exploiting-excessive-data-exposure-in-api

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

12,642 Updated today
mukul975
Testing & QA Listed

secret-detection--prevention

Automated detection and prevention of leaked secrets, API keys, passwords, and tokens in code using tools like gitleaks, trufflehog, and pre-commit hooks.

127 Updated 5 days ago
PramodDutta
AI & Automation Solid

secret-detection-scanner

Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.

1,034 Updated today
a5c-ai
AI & Automation Listed

api-security-testing

Security testing checklist for HTTP APIs—authn/z, input validation, rate limits, sensitive data exposure, and common OWASP API issues. Use when reviewing or testing REST/GraphQL endpoints before release.

15 Updated yesterday
charlieviettq
Testing & QA Featured

testing-for-xxe-injection-vulnerabilities

Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.

12,642 Updated today
mukul975