Looking for sensitive information

It's fairly common for applications to pass sensitive information. When testing, it's our job to make sure that sensitive information, wherever it gets passed to, is stored in a way that's (at least relatively) secured. The first thing I look for is plaintext storage of information. Some common places to look include:

  • file or disk (cookies, configuration files, temp files, etc...)

  • the registry

  • memory

  • databases

  • the GUI (urls, field properties, hidden fields, etc...)

  • executables (I've never reverse engineered a binary, but I know testers who do - and they find license keys, passwords, and other key pieces of information)

  • or even just information going across the wire

Checking for plaintext information for the list above is trivial for everything except memory and executables - and for those you can probably setup and learn the tools in a day or two. I find I don't check those two as often, but I do check the others.