Credentials exposed in URLs

Credentials exposed in URLs

Risk: medium

Description

Credentials in URLs may be stored in different places, including the user's device, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Recommendation

To avoid having credentials leaked in application logs and/or backend servers logs, consider the following:

• Avoid Storing Credentials in URLs: Refrain from placing sensitive information such as session tokens directly into URLs whenever possible.
• Utilize Secure Session Management: Implement secure session management techniques that do not rely on embedding credentials in URLs. Instead, use methods like session cookies with proper security configurations.
• Encrypt Sensitive Data in Transit: Employ encryption protocols such as HTTPS to ensure that sensitive data, including URLs containing credentials, are encrypted during transmission between the user's device and the web server.
• Implement URL Redaction: Implement mechanisms to automatically redact or obfuscate sensitive information, such as credentials, from URLs displayed on-screen or logged to minimize the risk of exposure.

Links

• CWE-200: Information Exposure
• CWE-598: Information Exposure Through Query Strings in GET Request
• CWE-384: Session Fixation
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
  • MSTG_AUTH_3
• OWASP_MASVS_L2:
  • MSTG_AUTH_3
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_AUTH_1
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5