STRIDE IT
I: 0/3 Total: 0/18

I — Information Disclosure

Information Disclosure happens when sensitive data is exposed to someone who should not see it. Confidentiality is the target.

Confidential.txt

What it means

Sensitive information is exposed to someone who shouldn’t have access (leaks, over-sharing, weak access control).

Why it matters

Exposed data enables identity theft, account takeover, fraud, and compliance issues (confidentiality breaks).

How to mitigate

Enforce access control, minimize returned data, mask secrets, and log safely. Never ship keys or private data to clients.

Raw Database Dump

A debug endpoint exposes database rows. Identify what the core flaw is.

Not solved

Endpoint response:

GET /debug/users

        id | email               | password_hash    | reset_token      | last_login_ip
        1  | ad...@corp.com      | md5...           | 9f83a...         | 83...
        2  | al...@corp.com      | md5...           | 1ab44...         | 83...
        3  | bj...@corp.com      | md5...           | 3da82...         | 84...

Encoders

While scouring the logs... you notice an encoded password... bXlzdXBlcnNlY3JldHBhcw==

Not solved

Decoding unsafe encoded passwords:

What's the real Password?

Tokens & Leaks

Tokens are sent through a microservice architecture as a JWT.

Not solved

JWT payload:

The client and the backend pass the following token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJwYXNzd29yZCI6InN1cGVyc2VjcmV0Iiwic3NuIjoiMTk5MDAxMDEtMTIzNCJ9.GcU68dKgX4xq01UJRypZFMdxKRlsxGFW4og8prgqDxc