Post by AMI-RythonCai on Sept 16, 2022 5:31:40 GMT
According to the definition of Sensitive data: Responses from URIs that contain sensitive data may return the HTTP 404 Not Found status code instead of the HTTP 401 Unauthorized status code or the HTTP 403 Forbidden status code to prevent attackers from obtaining the sensitive data in the URI. www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.15.1.pdf.
I would like to know what the scope of sensitive data ? Is there any standard to refer to ? I couldn't find property annotations related to sensitive data in the resource schema.
A possible attack point could be the URI itself. If an attacker with invalid credentials gets back a 401 instead of a 404 for different URIs, it can deduce which URIs are valid. This can indicate the value of the Id property of different resources; if the attacker has knowledge about the behavior of that implementation, they might be able to use this information to determine system identifiers, session information, user information, or anything they managed to reverse engineer with their own instance of the implementation.
Ultimately it's really going to come down to how you designed your implementation for what types of information can be deduced by an attacker from knowing the existence of a given URI.