CompTIA PenTest+ Practice Test

Which risk involves unauthorized handling of sensitive information within a web application?

• A. Insecure Configuration
• B. Sensitive Data Exposure
• C. Broken Authentication
• D. Security Misconfiguration

The correct answer is: Sensitive Data Exposure

Sensitive Data Exposure refers to the risk when sensitive information — such as personal data, payment details, or confidential business information — is improperly handled or disclosed within a web application. This can occur if the application does not adequately protect data during transmission and storage, resulting in unauthorized access by attackers. Proper security measures typically involve encryption, secure data handling practices, and robust access controls to prevent this risk. Remediation strategies may include ensuring that sensitive data is encrypted both in transit and at rest, implementing secure application coding practices, and regularly testing for vulnerabilities that could lead to data leaks. While the other options encompass important aspects of web application security, they do not specifically address the unauthorized handling of sensitive information. Insecure Configuration relates to poor security settings that can be exploited, Broken Authentication pertains to flaws in the authentication mechanisms that might allow unauthorized users to gain access, and Security Misconfiguration refers to a broader category of security mishaps due to improperly configured security settings. All of these can contribute to attacks, but Sensitive Data Exposure specifically calls out instances where sensitive information is not adequately protected against unauthorized access.