Password In Redirect

ID

java.password_in_redirect

Severity

critical

Resource

Information Leak

Language

Java

Tags

CWE:359, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3

Description

This detector identifies spots where passwords are exposed in URLs during redirection, which can compromise sensitive information by logging them in server access logs or browser history.

Rationale

Passwords should never be included in URLs during server redirection because URLs can be easily logged in server side logs, stored in browser histories, and shared inadvertently.

When sensitive data such as passwords are passed through a URL query string as part of a redirect operation, it introduces an unintentional security vulnerability.

For example, the following Java code snippet shows how a password might inadvertently be included in a URL during a redirect:

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String username = request.getParameter("username");
    String password = request.getParameter("password");

    // Bad practice: Redirecting with password in URL
    response.sendRedirect("/login?username=" + username + "&password=" + password);
}

In this example, both username and password parameters are included in the URL and sent to the response.sendRedirect() method. This exposes the password not only in the client’s browser history but also in any intervening proxies or logs.

Remediation

To remediate this vulnerability, avoid including sensitive information such as passwords in URL query parameters or redirects. Instead, consider the following approaches:

  1. Use POST Requests: Encourage the use of HTTP POST methods to send sensitive data. Post requests do not append parameters to the URL, thus keeping them out of logs or browser history.

  2. Session Management: Leverage session variables or secure cookies to store temporary sensitive data instead. This way, such critical data is not exposed in URLs.

  3. Encrypted Tokens: If redirecting with data is unavoidable, consider using encrypted tokens. Such tokens can be sent in URL query strings safely, as they cannot be interpreted without decryption keys.

  4. Security Auditing: Enable security auditing practices to ensure that such vulnerabilities are caught during the early stages of development, primarily through Static Application Security Testing (SAST) tools.

Configuration

The detector has the following configurable parameters:

  • passwordPattern, that indicates the regex used to determine if the redirect URL contains a password.

References

  • CWE-359 : Exposure of Private Personal Information to an Unauthorized Actor.

  • CWE-598: Use of GET Request Method With Sensitive Query Strings.

  • OWASP - Top 10 2021 Category A01 : Broken Access Control.

  • FIO52-J : Do not store unencrypted sensitive information on the client side. SEI CERT Oracle Coding Standard for Java.