API key in query string

firetail:api-key-in-query-string

Type:

Finding

Rule Severity:

Medium

An endpoint is using security mechanism which has the API key in the query string.

This can lead to the API key leaking via mechanisms that routinely capture full request URLs such as application server logs, users' browser extensions, or third party analytics packages.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Switch to transporting the credentials in the request headers, or request body.

Example Attack Scenario

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Majority response status codes 3XX
Field suggestions
Average request payload size elevated
AWS ALB should redirect HTTP to HTTPS
Server error
AppSync GraphQL API Authentication using API keys