Information Disclosure - Sensitive Information in HTTP Referrer Header
What is it?
The HTTP 'Referrer' header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies.
Examples of sensitive information in the 'Referrer' header are parameters with keys like 'user', 'username', 'pass', 'password', 'pwd', 'token', 'ticket', 'session' 'jsessionid', 'sessionid', etc.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Requests sent to the API server are analyzed for the presence of sensitive information in the 'Referrer' header.
What is the solution?
Do not pass sensitive information in URIs that are utilized as a referrer.