URL Contains Sensitive Data - SSN
Description
The vulnerability arises when a RESTful API URL contains sensitive data such as Social Security Numbers (SSNs), exposing them directly in the request. This can lead to security breaches as URLs are often logged in various systems, potentially exposing the sensitive information. To mitigate, sensitive data should not be included in URLs; instead, use request bodies or headers for transmitting such information securely. Additionally, implement encryption and access controls to protect sensitive data from unauthorized access.
Remediation
Remove or mask SSNs from URL parameters. Instead, include sensitive information in the request body or secure HTTP headers. Ensure all communication is conducted over HTTPS to encrypt data in transit, and implement strict access control to protect any endpoints handling SSNs. Regularly review server logs, analytics tools, or third-party services to ensure no sensitive data is retained in plain text. Employ a Web Application Firewall (WAF) or intrusion detection system to detect and block any attempts at exfiltrating SSNs. Periodically audit your application and server configurations to prevent inadvertent logging or exposure of SSNs in URLs or other components.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3