Policy sets confidential data in URL parameters

Severity
High
Applies to
Step
Links
CWE-598

Why This Issue Is Important

In an Apigee proxy, setting confidential data (such as personal identifiers or sensitive information) in URL parameters is a significant security risk. URL parameters can be logged by various systems, such as web servers, proxies, or even the user's browser history. This makes them an insecure method of transmitting confidential data, as the data could be exposed to unauthorized parties through these logs.

Confidential data should be transmitted securely, either in the HTTP request body or headers, where it is less likely to be logged and more easily protected with encryption. Using URL parameters for such data violates best security practices and can lead to data breaches, compromising the confidentiality of sensitive information.

How This Issue Is Detected

CodeSent scans the ServiceCallout and AssignMessage policies to identify any variables that are set as URL parameters.

The tool checks if these URL parameters contain confidential data, such as phone number, pin, email, etc.

If confidential data is detected in the URL parameters, CodeSent flags this as a potential security risk.

How to Fix the Issue

To fix this issue, you should ensure that confidential data is not sent in URL parameters. Instead, use the HTTP request body or headers to securely transmit the data.

If your policy currently uses URL parameters for confidential data:

<AssignMessage name="SetConfidentialDataInURL">
    <Set>
        <QueryParams>
            <QueryParam name="userId">someConfidentialData</QueryParam>
        </QueryParams>
    </Set>
</AssignMessage>

You should modify it to send the data in the HTTP request body or headers:

<AssignMessage name="SetConfidentialDataInHeaders">
    <Set>
        <Headers>
            <Header name="X-Confidential-UserId">someConfidentialData</Header>
        </Headers>
    </Set>
</AssignMessage>