Sensitive token in URL

waike · September 8, 2019, 11:55am

When visiting a certain page on a site I’m testing, there is a call to the API containing an API key in the URL. However, since the HTTP request containing the API key is not logged in the browser, I’m not sure this qualifies for the P4 vulnerability in the VRT called "Sensitive Token in URL (User Facing).

What exactly is meant by “User Facing”.

Appills · September 12, 2019, 4:27pm

User-Facing typically means via the UI.

However, if you’re getting it in something like a 301 Redirect response via the API, I would call that user-facing. You should verify that the parameter is a credential. Just force-browse to the endpoint call.

waike · September 14, 2019, 3:43pm

Thanks, that makes sense. Further testing revealed that the key wasn’t sensitive in this case, but I’ll remember your advice in my future hunting!

Topic		Replies	Views
API Key and OAuth Token Disclosure Web Hacking	1	2830	June 24, 2024
Is the GET request containing the code parameter vulnerable in OAuth2 authentication? Web Hacking	1	2361	July 25, 2020
Possible API Key Leak? Web Hacking	6	4483	July 20, 2022
Bugcrowd's Vulnerability Rating Taxonomy Bugcrowd Announcements & News	3	6672	May 2, 2018
Http parameter pollution Starter Zone	2	5107	May 4, 2016

Sensitive token in URL

Related Topics