API key in URL

owasp:api2:2019-no-api-keys-in-url

Rule Severity:

High

Ensure endpoints requiring API keys do so in the header of a request, not in the path (URL) or query string parameters.
This rule applies at the API Specification level (OAS/Swagger).
API Keys should be passed in the header of a request to limit exposure to man in the middle attacks.
An API key is a unique series of characters that are included in a request to verify that the requesting system is allowed to communicate with the receiving system. If an API requires a key, the key is assigned by the API provider to an authorized API user. The user includes this key in every request made. The API key verifies the application making the call to the API and ensures that the calling application has the correct access to call the API. If the API key is not valid the API sends back an error response.

Example Attack Scenario

Data Exposure: Attackers may exploit the lack of API keys to access sensitive data or resources exposed by the API. This could include personal information, financial data, or other confidential information that could be leveraged for malicious purposes, such as identity theft or fraud.

1. How to Identify with Example Scenario

securitySchemes:
 apiKey:
  # arbitrary name for the security scheme
  type: apiKey
  in: query
  name: X-API-KEY
  # name of the query parameter

1. How to Resolve with Example Scenario

securitySchemes:
 apiKey:
  # arbitrary name for the security scheme
  type: apiKey
  in: header
  name: X-API-KEY
  # name of the header, query parameter or cookie

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/authentication/

More findings

All Findings