Credentials exposed in URLs

Credentials exposed in URLs

Risk: medium

Description

Credentials in URLs may be stored in different places, including the user's device, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Recommendation

Use a secure layer to send session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Links

• CWE-200: Information Exposure
• CWE-598: Information Exposure Through Query Strings in GET Request
• CWE-384: Session Fixation
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
  • MSTG_AUTH_3
• OWASP_MASVS_L2:
  • MSTG_AUTH_3
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2