Credentials in URL

owasp-no-credentials-in-url

Type:

Finding

Rule Severity:

High

An endpoint is using URL parameters to pass in credentials. URL parameters should not contain credentials such as API keys, passwords, or secrets.

Including credentials in URLs exposes sensitive information to potential attackers, as URLs can be logged in various places, such as browser history, web server logs, and network logs. This makes it easier for unauthorized individuals to gain access to these credentials. URLs can be shared, either intentionally or accidentally, which means that anyone with the link could potentially access the included credentials. Search engines may also index those credentials containing URLs, leading to unintended public disclosure & embarrassment. Embedding credentials in URLs goes against best practices for secure API design, as it increases the risk of credential leakage and potential misuse. Instead, developers are advised to use secure methods like HTTP headers or OAuth tokens to transmit security credentials.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

URL parameters should not include sensitive information such as API keys, passwords, or secrets. Ensure that security credentials are excluded from paths and query parameters.

Example Attack Scenario

Network Sniffing: If the URL with credentials is transmitted over an unencrypted connection (HTTP instead of HTTPS), anyone with access to the network traffic can easily intercept and view the credentials. The attacker can then use these credentials to gain unauthorized access to the system.

How to Identify with Example Scenario

paths:
 /mypath/{id}/: 
  # arbitrary path name
  get:
   description: 'get'
   parameters:
    - name: client_secret
      in: query
      required: true
    - name: token
      in: query
      required: true
    - name: refresh_token
      in: query
      required: true
    - name: id_token
      in: query
      required: true
    - name: password
      in: query
      required: true
    - name: secret
      in: query
      required: true
    - name: apikey
      in: query
      required: true
    - name: apikey
      in: path
      required: true
    - name: API-KEY
      in: query
      required: true

How to Resolve with Example Scenario

paths:
 /mypath/{id}/: 
  # arbitrary path name
  get:
   description: 'get'
   parameters:
    - name: id
      in: path
      required: true
    - name: filter
      in: query
      required: true
   # Remove all sensitive data from the path or query

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Plaintext negotiated authentication
Average combined header size elevated
Average combined payload size reduced
Authentication removed
Plaintext basic authentication
Undefined string limit