Information Disclosure - Sensitive Information in URL
Reference
Plugin Id: 10024
Remediation
- Use POST requests: Send sensitive data in request bodies using POST or PUT methods instead of URL parameters.
- Implement secure sessions: Store sensitive information in secure server-side sessions rather than URLs.
- Use form data: Submit sensitive information through form fields rather than query parameters.
- Remove sensitive URL logging: Configure web servers and applications to exclude sensitive URLs from access logs.
- Validate data handling: Review all data flows to ensure sensitive information doesn’t appear in URLs, referrer headers, or browser history.
About
Sensitive information in URLs occurs when applications expose confidential data such as passwords, tokens, personal information, or session identifiers in URL parameters. This data can be inadvertently logged, cached, shared, or exposed through referrer headers, creating security and privacy risks.
Risks
Medium Sensitive information in URLs can be exposed through server logs, browser history, referrer headers, or shared links, potentially leading to unauthorized access, identity theft, or compliance violations with regulations like PCI DSS.