CWE-201 Sensitive Data in Sent Data

What this means

SiteShadow flagged sensitive information being included in data sent outside the trusted boundary (HTTP responses, emails, webhooks, third-party API calls, analytics events).

Why it matters

Sensitive data in responses can be intercepted or misused.

• Privacy leaks: PII/PHI can end up in places you don't control (vendors, inboxes, logs).
• Credential compromise: tokens/keys in responses can lead to account takeover.
• Long-tail exposure: sent data is copied, stored, and forwarded.

Safer examples

1) Return only what the client needs (DTO allowlists)

res.json({ id: user.id, name: user.name }); // not the full user object

2) Strip sensitive fields before sending to vendors

For analytics/telemetry, avoid raw emails, tokens, auth headers, and full request bodies.

3) Treat outbound payloads as "public by default"

Assume anything sent out of process can be stored forever.

How SiteShadow detects it (high level)

• Looks for common outbound sinks (HTTP responses, email senders, telemetry SDKs) and flags inclusion of sensitive fields.
• Uses heuristics for sensitive keys/structures (tokens, passwords, secrets, PII).

References

• CWE-201: https://cwe.mitre.org/data/definitions/201.html

---

← Back to Vulnerability Library