Information Disclosure - Sensitive Information in URL
What is it?
The request to the API endpoint appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies.
Examples of sensitive information in URLs are query parameters with keys like 'user', 'username', 'pass', 'password', 'pwd', 'token', 'ticket', 'session' 'jsessionid', 'sessionid', etc.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Requests sent to the API server are analyzed for the presence of sensitive information in the URL.
What is the solution?
Do not pass sensitive information in URIs.