Client-Hidden Sensitive Data

The Client-Hidden Sensitive Data attack can occur when a website unintentially reveals sensitive information to users. This can include, information about other users, about the infrastructure of the website, etc.

Attack Vector

This attack takes place by obtaining sensitive data from the client side. (ex. takes place in CSS)


The impact of this attack depends on the website and what sensitive information is being passed from server to client that is thus unintentionally revealed to the client. Therefore, the information an attacker can obtain and what advantage they gain from this attack is dependent on the website.

For example, if a website unintentionally reveals not only the user's credit card information, but all other users' credit card information as well, then this would be a severe impact. However, there are cases that perhaps instead of revealing all users' credit card information, the site unintentionally reveals the name of all other users on the site.

Attack Examples

Example 1

A website developer fails to remove user data from the comments of their code, and in turn, allows users to view this data on the client-side.


Some defences include keeping sensitive data on the server side and sending only crucial data to the client side. Or to separate sensitive data with non-sensitive data, so that developers can keep track of what can be revealed and what should not be sent/revealed/visible to users.

Criteria for Demonstration

To demonstrate a Client-Hidden Sensitive Data attack, you should (1) explain what steps you took to reveal (2) what sensitive information. Note that the information you reveal has to be the endgoal of attack. For example, revealing a credit card number would qualify, but revealing an endpoint (which may or may not lead to another attack) would not qualify, as the endpoint is not sensitive information in isolation.

Other resources