URL Contains Sensitive Data - IP address
Description
Exposing sensitive data such as IP addresses in RESTful API URLs poses a security risk as it can potentially lead to information disclosure. Attackers can exploit this vulnerability to gain insights into the system's infrastructure or launch targeted attacks. To mitigate, sensitive data like IP addresses should be abstracted from URLs and securely handled through methods like encryption or access controls.
Remediation
Remove or mask IP addresses in API endpoint paths. Instead, pass sensitive data via request headers, encrypted payloads, or secure configuration settings. Implement strict input validation and output encoding to avoid unintentionally including sensitive information in query strings or URL paths. If necessary, use access controls and authentication to ensure only authorized parties can retrieve sensitive details. Employ HTTPS for all communications to protect data in transit. Regularly review logs and server configurations to confirm no sensitive data is exposed through URLs or other application layers.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3