Skip to main content
Version: Next

Hash Disclosure In Response

Hash Disclosure In Response

What is it?

The response contains one or more hash values that could represent secrets and/or passwords.

References

Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Responses from the API server are analyzed for the presence of common hash values (MD5 Crypt, SHA-256 Crypt, SHA-512, SHA-384, Mac OSX salted SHA-1, NTLM, BCrypt, Kerberos AFS DES, OpenBSD Blowfish, etc), that could potentially represent secrets and/or passwords.

What is the solution?

Verify if hashes present in the response pertain to secrets. If secrets are being sent as hashes, ensure it is justified by a legitimate business requirement.