Skip to main content
Version: Next

Information Disclosure - Sensitive Information in URL

Information Disclosure - Sensitive Information in URL

What is it?

The request to the API endpoint appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies.

Examples of sensitive information in URLs are query parameters with keys like 'user', 'username', 'pass', 'password', 'pwd', 'token', 'ticket', 'session' 'jsessionid', 'sessionid', etc.

References

Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Requests sent to the API server are analyzed for the presence of sensitive information in the URL.

What is the solution?

Do not pass sensitive information in URIs.