CWE-598 on ZAP

access_token/id_token in URL

Mon, 01 Jan 0001 00:00:00 +0000

Detects access tokens, JWTs, and API keys present in URLs or query strings observed in traffic.

Generated by OWASP PTK DAST Module

api_key/key in URL

Mon, 01 Jan 0001 00:00:00 +0000

Detects access tokens, JWTs, and API keys present in URLs or query strings observed in traffic.

Generated by OWASP PTK DAST Module

Information Disclosure - Sensitive Information in HTTP Referrer Header

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Sensitive Information in URL

Mon, 01 Jan 0001 00:00:00 +0000

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

JWT-like value in URL

Mon, 01 Jan 0001 00:00:00 +0000

Detects access tokens, JWTs, and API keys present in URLs or query strings observed in traffic.

Generated by OWASP PTK DAST Module

Referer Exposes Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.