- QA Sandbox
Security Beginner 5 tests

Sensitive Data Exposure

The application leaks data it should never send - password hashes in API responses, credentials in HTML comments, internal tokens in profile endpoints, and raw stack traces on errors. One endpoint handles data correctly. Find the rest.

What is Sensitive Data Exposure?

Sensitive data exposure (OWASP A02:2021 - Cryptographic Failures / Data Exposure) occurs when an application accidentally returns data it should protect - password hashes, session tokens, internal IDs, API keys, or credentials. It does not require an injection attack: the server volunteers the data in a normal response. Common sources are over-broad API serializers, verbose error pages, and developer comments left in templates.

What is hidden here

Test 1 Card API returns password_hash, last_login_ip, and internal_user_id alongside public fields (bug)
Test 2 Safe card endpoint returns only public fields - name, email, company, job_title (true negative)
Test 3 HTML source of this page contains a developer comment with plaintext admin credentials (bug)
Test 4 500 error response includes a full stack trace, database password, and secret key in the body (bug)
Test 5 User profile endpoint returns a live password reset token, Stripe customer ID, and 2FA backup codes (bug)
Test 1
Card API Leaks Password Hash and Internal Fields
Call the card endpoint and inspect every field in the response. A well-designed API should return only the fields a client actually needs.
GET /qa-sandbox/sensitive-data/?action=api-card-unsafe
Test 2
Safe Card Endpoint - No Sensitive Fields
The sanitized endpoint returns only the fields the client needs. Compare the response schema against Test 1 to see what was removed.
GET /qa-sandbox/sensitive-data/?action=api-card-safe
Test 3
Admin Credentials in HTML Source Comment
Developer comments in HTML are sent to every browser that loads the page. View the source of this page to find the comment, or use the scanner button below.

Manual method: press Ctrl+U (Windows/Linux) or Cmd+Option+U (Mac) to view page source, then search for <!-- near line 2.

GET /qa-sandbox/sensitive-data/
- fetch page HTML, search for <!-- ... --> blocks
Test 4
500 Error Exposes Stack Trace and Secrets
Trigger a server error and inspect the response body. Production errors must return a generic message - never internal state.
GET /qa-sandbox/sensitive-data/?action=error-trace
Test 5
User Profile API Leaks Tokens and Internal IDs
The profile endpoint was built by a serializer that includes every model field. Check whether security-critical fields are present in the response.
GET /qa-sandbox/sensitive-data/?action=user-profile-unsafe
For Test 1: confirm that password_hash is a real PBKDF2 hash string, not a placeholder - the format is algorithm$iterations$salt$hash.
For Test 2: verify the response schema contains only id, name, email, company, job_title and no additional keys.
For Test 3: use Ctrl+U to view raw HTML source and search for <!--. The comment is on line 2, outside the HTML element.
For Test 4: note the HTTP status code of the response (500) alongside the leaked DATABASE_PASSWORD and EMAIL_HOST_PASSWORD fields.
For Test 5: decode the password_reset_token JWT at jwt.io - it contains a valid-looking user_id claim that could be used to trigger a real reset.

Postman / API Guide

All tests use GET /qa-sandbox/sensitive-data/?action=<action>. No auth or body required.

For Test 3, send a plain GET /qa-sandbox/sensitive-data/ and search the HTML body for <!--.

Test 1 - Unsafe card API
GET /qa-sandbox/sensitive-data/?action=api-card-unsafe

# Look for these sensitive fields in the response:
# password_hash, last_login_ip, internal_user_id, account_flags
Test 2 - Safe card API (true negative)
GET /qa-sandbox/sensitive-data/?action=api-card-safe

# Confirm response contains ONLY: id, name, email, company, job_title
Test 3 - HTML comment scan
GET /qa-sandbox/sensitive-data/
Accept: text/html

# In the response body search for: <!--
# Expected find: <!-- TODO: remove before prod - admin:Adm1n@2024 backup-admin:B4ckup#99 -->
Test 4 - Error trace exposure
GET /qa-sandbox/sensitive-data/?action=error-trace

# Response: HTTP 500
# Look for: leaked_data.settings_exposed containing
# SECRET_KEY, DATABASE_PASSWORD, EMAIL_HOST_PASSWORD
Test 5 - Profile API leaks tokens
GET /qa-sandbox/sensitive-data/?action=user-profile-unsafe

# Look for: password_reset_token, stripe_customer_id,
#            internal_uuid, session_token, two_factor_backup_codes