Password Sent in HTTP Query
Impact: Medium
Description
When passwords are included in URLs and sent as part of HTTP queries, they may be logged in various places, including server logs, and disclosed to unauthorized parties through the referer
HTTP request header. This risk is heightened when the traffic is not encrypted, making it susceptible to interception and eavesdropping.
Recommendation
Avoid sending sensitive information like passwords in URLs. Instead, use the HTTP POST
method and transmit sensitive data in the request body, which is more secure. Additionally, ensure that communication is encrypted using HTTPS to protect data in transit.
References
👉 You might also like:
Password Sent Over HTTP - Vulnerability
Password Input on HTTP - Vulnerability
Password Sent in Query - Vulnerability
Auto Complete Enabled Password Input - Vulnerability
Last updated on May 13, 2024