CWE-531: Inclusion of Sensitive Information in Test Code
Official CWE-531 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-531: Inclusion of Sensitive Information in Test Code
Inclusion of Sensitive Information in Test Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality: Read Application Data
Developer Pattern
CWE-531 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-531, 4.20.
Official CWE Definition
CWE-531: Inclusion of Sensitive Information in Test Code
Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- Examples of common issues with test applications include administrative functions, listings of usernames, passwords or session identifiers and information about the system, server or application configuration.
Remediation
- Distribution,Installation: Remove test code before deploying the application into production.
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.