Plaintext API key

firetail:plaintext-api-key

Type:

Finding

Rule Severity:

Critical

An endpoint is using an API key based security mechanism over HTTP.

This exposes the API key in plaintext on the network and can lead to attackers finding and using the API key to make unauthorized API calls.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Change the transport protocol to HTTPS. This will ensure that all data in the request including API keys are encrypted in transit.

Example Attack Scenario

Exposure to Eavesdropping: HTTP transmits data in plaintext, which means that API keys sent over HTTP can be intercepted by anyone monitoring the network traffic. This exposes the API key to potential theft or misuse by malicious actors.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS ALB listeners should be configured with HTTPS or TLS termination
Missing global security
Plaintext negotiated authentication
Missing 4xx response
Paypal secrets found in logs
Accepted negative data