Unprotected JSON file leaking secrets
Description
This vulnerability occurs when JSON configuration files containing sensitive information such as API keys, database credentials, encryption keys, or authentication tokens are stored in publicly accessible locations on a web server. Attackers can discover these files through directory enumeration, predictable file paths, or exposed version control directories. A JSON file has been identified that appears to contain sensitive credentials or secrets that should not be publicly accessible.
Remediation
Take the following steps to remediate this vulnerability:
Immediate Actions:
1. Remove the exposed JSON file from the publicly accessible directory immediately
2. Rotate all credentials and secrets found in the file (API keys, passwords, tokens, etc.)
3. Review access logs to determine if the file was accessed by unauthorized parties
Long-term Solutions:
1. Store secrets in environment variables instead of configuration files:
// Instead of storing in config.json:
// { "api_key": "secret123" }
// Use environment variables:
const apiKey = process.env.API_KEY;
const dbPassword = process.env.DB_PASSWORD;
2. Use a secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
3. If configuration files must contain secrets, store them outside the web root directory and restrict file permissions
4. Add sensitive configuration files to .gitignore to prevent accidental commits to version control
5. Implement proper access controls and authentication for any configuration endpoints
6. Use configuration file templates with placeholder values for version control, with actual secrets injected at deployment time