Password In Redirect
ID |
php.password_in_redirect |
Severity |
critical |
Resource |
Information Leak |
Language |
Php |
Tags |
CWE:359, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3 |
Description
Sensitive information, such as passwords, should never be included in URL query parameters during redirections. Doing so can expose credentials in browser history, server logs, and referrer headers, leading to security risks.
Rationale
When a password is included in a URL query parameter during a redirect, it can be inadvertently logged or leaked through various mechanisms, such as:
-
Browser history storage
-
Web server logs
-
Proxy and CDN caching
Referrer headers sent to third-party sites
Attackers who gain access to any of these logs or cached data may retrieve the password, leading to security breaches.
For example, the following Php code snippet shows how a password might inadvertently be included in a URL during a redirect:
$password = $_POST['password'];
header("Location: https://example.com/dashboard.php?password=$password");
exit();In this example, the password is exposed in the URL, which could be stored in logs and browser history.
Remediation
To prevent this vulnerability, passwords should never be passed in URL parameters. Instead, use secure session storage or POST data to transmit sensitive information.
Secure Example
session_start();
$_SESSION['authenticated'] = true;
header("Location: https://example.com/dashboard.php");
exit();This approach ensures that sensitive data remains within the server-side session and is not exposed in URLs.
Configuration
The detector has the following configurable parameters:
-
passwordPattern, that indicates the regex used to determine if the redirect contains a password.
References
-
CWE-359 : Exposure of Private Personal Information to an Unauthorized Actor.
-
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.