Including credentials in URLs exposes sensitive information to potential attackers, as URLs can be logged in various places, such as browser history, web server logs, and network logs. This makes it easier for unauthorized individuals to gain access to these credentials. URLs can be shared, either intentionally or accidentally, which means that anyone with the link could potentially access the included credentials. Search engines may also index those credentials containing URLs, leading to unintended public disclosure & embarrassment. Embedding credentials in URLs goes against best practices for secure API design, as it increases the risk of credential leakage and potential misuse. Instead, developers are advised to use secure methods like HTTP headers or OAuth tokens to transmit security credentials.
This rule applies at the API Specification level (OAS/Swagger).
Network Sniffing: If the URL with credentials is transmitted over an unencrypted connection (HTTP instead of HTTPS), anyone with access to the network traffic can easily intercept and view the credentials. The attacker can then use these credentials to gain unauthorized access to the system.