Wednesday, March 30, 2016

Passing secrets in a URL is vulnerable

Today I saw a website with REST API and an example of a request to it:

    curl "https://api.website.com/v1/entity/123&key=YOUR-API-KEY"

Note that it's a client-to-server REST API request, and there're no cookies being sent.

It reminded me of dozens of the websites with REST API designed the same way which I've seen so far where they pass the secret, API KEY, in the url. The protocol can be HTTP or HTTPS, but there's no difference. No matter how you slice it, the secret is sent in plain text and thus can be intercepted by man-in-the-middle or seen in the logs on a server. And that's a vulnerability.

To fix this, the API KEY has to be passed in the headers.

UPDATE:

Actually, the query string or path after the domain name, is not transmitted in the clear. The TLS handshake is done using the main, domain part of a url.  After that all the traffic, including the request path in the url, is encrypted. However, depending on the implementation of a web server, the part of the url might or might not appear in the logs. Depending on the settings of a server, even the POST data might be logged httpd.apache.org/docs/current/mod/mod_dumpio.html

Also,  it still can appear in other places such as history of a browser.

No comments :

Post a Comment