Password In Redirect

csharp.password_in_redirect

Severity

critical

Resource

Information Leak

Language

CSharp

Description

This detector identifies spots where passwords are exposed in URLs during redirection, which can compromise sensitive information by logging them in server access logs or browser history.

Rationale

Passwords should never be included in URLs during server redirection because URLs can be easily logged in server side logs, stored in browser histories, and shared inadvertently.

When sensitive data such as passwords are passed through a URL query string as part of a redirect operation, it introduces an unintentional security vulnerability.

For example, the following C# code snippet shows how a password might inadvertently be included in a URL during a redirect:

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;

[ApiController]
[Route("[login]")]
public class LoginController : Controller
{
    [HttpPost("submit")]
    public IActionResult Submit()
    {
        string username = Request.Form["username"];
        string password = Request.Form["password"];

        // FLAW: Redirecting with password in URL (leaks sensitive info in logs, browser history, etc.)
        string redirectUrl = $"/login?username={Uri.EscapeDataString(username)}&password={Uri.EscapeDataString(password)}";
        return Redirect(redirectUrl);
    }
}

In this example, both username and password parameters are included in the URL and sent to the Redirect() method. This exposes the password not only in the client’s browser history but also in any intervening proxies or logs.

Remediation

To remediate this vulnerability, avoid including sensitive information such as passwords in URL query parameters or redirects. Instead, consider the following approaches:

Use POST Requests: Encourage the use of HTTP POST methods to send sensitive data. Post requests do not append parameters to the URL, thus keeping them out of logs or browser history.
Session Management: Leverage session variables or secure cookies to store temporary sensitive data instead. This way, such critical data is not exposed in URLs.
Encrypted Tokens: If redirecting with data is unavoidable, consider using encrypted tokens. Such tokens can be sent in URL query strings safely, as they cannot be interpreted without decryption keys.
Security Auditing: Enable security auditing practices to ensure that such vulnerabilities are caught during the early stages of development, primarily through Static Application Security Testing (SAST) tools.

Configuration

The detector has the following configurable parameters:

passwordPattern, that indicates the regex used to determine if the redirect contains a password.

References

CWE-359 : Exposure of Private Personal Information to an Unauthorized Actor.
CWE-598: Use of GET Request Method With Sensitive Query Strings.
OWASP - Top 10 2021 Category A01 : Broken Access Control.