Pushing Left, Like a Boss — Part 5.7 — URL Parameters
Never put information in the parameters in the URL of your application that are important. When I say “important”, I mean something that would potentially be used to make a decision in your application that is not trivial. The same goes for hidden fields, don’t store or pass anything valuable there either. Important information must be transmitted in a secure manner, and hidden fields and URL parameters are not the place for that.
Risks of putting sensitive information in the URL include; sensitive data being cached, sensitive data exposed in the case of a man-in-the-middle attack, or an attacker potentially injecting their own values.
Examples of things that should not be in URL parameters:
- User IDs (for a user logging into a system, not when it is used to bookmark a public page, and nothing more. Bookmarks on public pages are not sensitive.)
- Account numbers
- SIN Numbers
- Dates of birth and other combinations of information that could possibly be used to impersonate someone
- Home address
- Query or search information
- Personally Identifiable Information (PII)
- A token or session ID
Franziska Bühler and I at the Open Security Summit, 2018
Examples of things that could be in URL parameters:
- Which language the user wants to view the site in, for instance “fr” for French or ‘en” for English. If an attacker switches it, the user will see the same information, in a different language. No harm, no foul.
- The page number for a form that the user is allowed to see all the pages of and there is no reason that they cannot skip ahead or back in the document or form.
- Viewing preferences for the form, for instance contrast or brightness settings. Although it would be an inconvenience if an attacker changed the brightness or contrast of a page, the user would not be harmed, nor the application or it’s data.
- Query terms in a search engine.
Key takeaway: when in doubt, do not pass it in the URL.
Up next in the ‘Pushing Left, Like a Boss’ series: Securing Your Cookies.