URL Contains Sensitive Data - Email
Description
Exposing sensitive data such as email addresses directly in the URL of a RESTful API poses a security vulnerability. This practice can lead to potential data breaches and privacy violations, as URLs are often logged and can be visible in various places. To mitigate this risk, sensitive information like email addresses should be transmitted securely through request bodies or headers instead of being included directly in the URL. Additionally, implementing proper authentication and authorization mechanisms can further safeguard sensitive data in RESTful APIs.
Remediation
Remove or mask email addresses from URL parameters. Instead, include them in the request body or secure HTTP headers. Ensure all communications are conducted over HTTPS to encrypt data in transit, and enforce strict authentication and authorization checks for any endpoints that handle email addresses or other sensitive data. Regularly inspect server logs, analytics tools, or monitoring services to confirm no sensitive information is inadvertently captured in plain text. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect malicious attempts targeting exposed email data. Conduct periodic security reviews to ensure no new endpoints or features expose sensitive data in URLs.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3