logo

Inclusion of Sensitive Information in Test Code

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when sensitive data, such as credentials, API keys, or internal logic, is embedded within test code or debugging applications that remain accessible in production environments. Attackers can discover and exploit these forgotten endpoints to gain unauthorized access or gather critical intelligence about the system.

Extended Description

Developers often create test scripts, debug pages, or administrative backdoors to streamline development and troubleshooting. These components are typically secured only by the assumption that attackers won't know they exist—a dangerous practice known as "security through obscurity." Because they are not part of the official production code review, they frequently contain hardcoded secrets, expose internal functions, or have relaxed security controls, making them prime targets for exploitation. To prevent this, treat all test code with the same security rigor as production code. Before deployment, systematically identify and remove or disable any test applications, stubs, and diagnostic endpoints. Implement automated scanning in your CI/CD pipeline to detect sensitive information in all code branches, and enforce environment-specific configurations so that test secrets are never deployed to live systems.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data
Potential Mitigations 1
Phase: DistributionInstallation
Remove test code before deploying the application into production.
Demonstrative Examples 1
Examples of common issues with test applications include administrative functions, listings of usernames, passwords or session identifiers and information about the system, server or application configuration.
Modes of Introduction
Testing
Related Weaknesses
ChildOf: Inclusion of Sensitive Information in Source Code (CWE-540)
Taxonomy Mapping
  • Software Fault Patterns