Sensitive token in URL

When visiting a certain page on a site I’m testing, there is a call to the API containing an API key in the URL. However, since the HTTP request containing the API key is not logged in the browser, I’m not sure this qualifies for the P4 vulnerability in the VRT called "Sensitive Token in URL (User Facing).

What exactly is meant by “User Facing”.

1 Like

User-Facing typically means via the UI.

However, if you’re getting it in something like a 301 Redirect response via the API, I would call that user-facing. You should verify that the parameter is a credential. Just force-browse to the endpoint call.

1 Like

Thanks, that makes sense. Further testing revealed that the key wasn’t sensitive in this case, but I’ll remember your advice in my future hunting!