API Key is not removed before the request is sent to target system

Severity
High
Applies to
Proxy
Links
CWE-201

Why This Issue Is Important

In an Apigee proxy, API keys are often used to authenticate requests from consumers. However, if an API key is not removed before the request is sent to the target system, it can lead to unintended exposure of sensitive information. Passing the API key along to the target system can be a trust boundary violation, as it may expose credentials or tokens that were intended only for the Apigee layer. This can result in unauthorized access or disclosure of confidential data, which is a significant security risk.

Ensuring that the API key is removed before forwarding the request to the target system is crucial for maintaining data confidentiality and adhering to security best practices. This practice helps prevent the unintended sharing of sensitive information with external systems, reducing the risk of security breaches.

How This Issue Is Detected

CodeSent scans the flow to identify steps where the API key is accessed.

The tool checks whether the API key is removed or override in any subsequent steps before the request is forwarded to the target system.

If the API key is not removed, CodeSent flags this as a potential risk.

How to Fix the Issue

To fix this issue, you should ensure that the API key is removed before the request is sent to the target system.