Scala Cleartext Sensitive Information
Description
Detects potential exposure of sensitive information in cleartext through URLs or redirects in Scala Play Framework applications. This vulnerability could allow attackers to intercept sensitive data by monitoring network traffic or accessing browser history since URL parameters are typically logged and stored unencrypted.
Detection Strategy
• Check if the Scala code uses Play Framework by looking for 'play.api.mvc' imports
• Identify calls to 'url' or 'Redirect' functions in the code
• Examine the arguments passed to these functions to detect if they contain sensitive information
• Flag any instances where sensitive data could be exposed through URL parameters or redirect paths
Vulnerable code example
import play.api.mvc._
import play.api.libs.ws._
import javax.inject._
@Singleton
class AuthController @Inject()(ws: WSClient, cc: ControllerComponents) extends AbstractController(cc) {
def login = Action.async { request =>
val password = request.body.asFormUrlEncoded.get("password").getOrElse("") // Source: sensitive password data...✅ Secure code example
import play.api.mvc._
import play.api.libs.ws._
import play.api.libs.json._
import javax.inject._
import scala.concurrent.ExecutionContext
@Singleton
class AuthController @Inject()(ws: WSClient, cc: ControllerComponents)(implicit ec: ExecutionContext) ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.