This attack technique involves searching for passwords or other sensitive information that is passed as parameters or environment variables during the runtime of a code or containerized application.
Attackers can exploit this vulnerability by intercepting the runtime process and capturing the sensitive information in transit.
Once the password or sensitive information is captured, the attacker can use it to gain unauthorized access to the system or associated resources.
ID:T0163
Type:Technique
Tactic:Credential Access
Summary:Runtime leakage of password
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1120
Mitigation
Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1630
Mitigation
Mitigation Implement runtime encryption Sensitive information such as passwords should be encrypted during runtime and while in transit.
Mitigation Implement runtime encryption Sensitive information such as passwords should be encrypted during runtime and while in transit.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1120
Detection
Detection Implement source code scanning for credentials and tokens Set up monitoring of reported issues based on regular credentials scanning results.
Scan web applications for embedded secrets and credentials. It is particularily important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data.
D1260
Detection
Detection Implement regular security audit and review Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Detection Implement penetration testing Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Detection Implement vulnerability assesment Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
