Description

An API endpoint includes secrets such as API keys, tokens, or credentials in the URL when calling external APIs. Embedding secrets in URLs is particularly dangerous because URLs are commonly logged by web servers, proxies, and intermediaries, and visible in referrer headers. This significantly increases the risk of credential exposure compared to passing secrets in request headers or bodies.

Rationale

This finding works by identifying an API route that includes secrets or API keys in the URL of requests made to external APIs.

Remediation

• Pass secrets in request headers (e.g., Authorization header) instead of URL query parameters
• Ensure all external API calls transmitting credentials are made over HTTPS
• Rotate any API keys that may have been exposed in URLs
• Use a secrets manager to control and audit credential usage

References