in URL User Facing
Sensitive Token Exposed in URL User Facing
Overview of the Vulnerability
Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL that is user facing which can be captured by an attacker. This allows the attacker to gain access to a legitimate user’s account, breaching the Confidentiality and Integrity of their account.
Business Impact
This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce
Login as a user and navigate to: {{URL}}
Observe the exposed token in the URL
Proof of Concept (PoC)
The following screenshot shows the sensitive token in the URL:
{{screenshot}}
Recommendation(s)
The application should transmit tokens via HTTP cookies, or via hidden field forms which are submitted by using the HTTP Post method.
It is recommended to encrypt sensitive data both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
Last updated