URL Contains Sensitive Data - TCKN
Description
The vulnerability arises when sensitive data, such as Turkish Identification Numbers (TCKN), is included directly in the URL parameters of a RESTful API request. This exposes the sensitive information in server logs, browser history, and potentially to third-party services, posing a significant security risk. To mitigate this vulnerability, sensitive data should be transmitted securely through methods such as HTTP headers or request bodies, ensuring confidentiality and minimizing exposure.
Remediation
Remove or mask TCKN from URL parameters. Instead, pass sensitive data via request bodies or secure HTTP headers. Use HTTPS to encrypt data in transit and ensure that server logs or analytics tools do not inadvertently capture sensitive values. Enforce strict access controls on endpoints and consider employing a Web Application Firewall (WAF) or intrusion detection system to detect attempts at exfiltrating TCKNs or other personally identifiable information. Regularly audit application code and infrastructure configurations to confirm no accidental logging or transmission of TCKNs occurs in URLs or other components of the system.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3