13 lines
647 B
Plaintext
13 lines
647 B
Plaintext
==== Application's security downgrade
|
|
|
|
A downgrade can happen when the disclosed secret is used to protect
|
|
security-sensitive assets or features of the application. Depending on the
|
|
affected asset or feature, the practical impact can range from a sensitive
|
|
information leak to a complete takeover of the application, its hosting server
|
|
or another linked component.
|
|
|
|
For example, an application that would disclose a secret used to sign user
|
|
authentication tokens would be at risk of user identity impersonation. An
|
|
attacker accessing the leaked secret could sign session tokens for arbitrary
|
|
users and take over their privileges and entitlements.
|