PTKDMobile App Security
Knowledge base / PTKD-DYN-AUTH-IN-URL
medium M1 MASVS-NETWORK-1 dynamic analysis PTKD-DYN-AUTH-IN-URL

Credential passed in a URL

A sensitive value (password/token/api key) was sent as a URL query parameter, where it lands in logs, history, and Referer headers.

How it's exploited

Credentials or tokens appeared in a URL query string. URLs are logged everywhere: server access logs, proxies, CDNs, browser history, and Referer headers, so the secret multiplies across systems.

Why it matters

Session or API credentials persist in plaintext logs owned by third parties.

How to fix it

  1. Move the credential to an Authorization header (or request body for form posts).
  2. Invalidate tokens that were already sent via URL and scrub them from your own logs.

References