Leaking Secrets in Web Applications

Category: Deployment, Database, github

This post walks through an example of this flaw by looking at how environment variables can be misunderstood and misused in web applications.

eaking Secrets describes an information disclosure flaw in which an application exposes sensitive credentials or API keys to an adversary.

his example application uses the Dotenv rails gem to load environment variables from .env This example app uses .env.local to load all of the populated environment variables contained in the file into the ENV constant that is dumped by Rack-mini-profiler.

This list below summarizes some of these risks from Diogo Monica : Before we jump into playing with some examples of ENV and environment variables, let’s review some laws of Ruby Environment variables.

Then run env to list the environment variables in the bash shell: Now in the second shell, re-launch irb and fetch the sensitive ENV variables.