This is basically the act where the application,system exposes some kind of very sensitive information to us in plain text in some cases. Maybe for example they leak some credit card details or social security numbers etc.
Maybe they stored passwords in clear text form or something like that's very very very bad. Maybe there are like open JavaScript files open and maybe they have credentials or something on it or something like that. Or Maybe a Backup directory is being exposed or something like that.
So to prevent this w should just store data that is neccesary to the application and dont store any sensitive data and also make sure no matter where it is make sure its encrypted make sure your files are not in a directory thats accessible to anybody.Make sure you use good encryption and good technologies.Encry all data in transit with secure protocols such as TLS with perfect forward secrecy(PFS) ciphers.Disable stuff like caching for reponse that contain sensitive data.
We can try directory busting our way through this and see if we find something sensitive per say or something liek that we can use dirb or gobuster or dirbuster for this whole process.And also in Burp Suite go to the target → sitemap go through every file cause soemtimes you have no idea what all you can find and you can search for stuff like password and keys or something.Burp Suite Pro is also good at finding low findings passively it can also catch stuff like responsee headers for us and these are very good for us because we can see what kind of protections they ahve here and how they or we can defend against certain things and we can use one thing called HSTS which stands for Http Strict Transfer Security that is a header that should be set in order to prevent an attack where we can take secure data like HTTPS and we strip that and downgrade it to HTTP and this called a protocol downgrade attack and after this all encrypted data will now be unecrypted.
HSTS is a Man in the Middle Attack btw
You can use a site called securityheader.com to check if you have all the required headers or not sometimes you can use like screenshots from there and show clients what they are missing etc.
we can use Nmap to measure level of encryptio on a website and we can get a rating and report to
nmap --script=ssl-enum-cipher -p website.com
and this will give you ratings by like A - F kinda rating thing.