Swift Information Exposure In Query String
Description
Detects potentially sensitive information being exposed in URL query strings in Swift applications. When URLQueryItem parameters contain sensitive data like passwords, tokens, or personally identifiable information (PII), this creates a security risk as query parameters may be logged in server logs, browser histories, or visible in referrer headers.
Detection Strategy
• Checks if the Foundation framework is imported in the Swift code
• Identifies uses of URLQueryItem instantiations in the code
• Verifies that URLQueryItem is used in a query parameter assignment context
• Examines the parameter values passed to URLQueryItem for sensitive data patterns like passwords, tokens, or PII
• Reports a vulnerability if sensitive data is detected in query parameter construction
Vulnerable code example
import UIKit
func vulnerableAuth(passwordField: UITextField) {
// VULNERABLE: Sensitive password exposed in URL query parameter
var components = URLComponents(string: "https://api.example.com/login")!
components.queryItems = [
URLQueryItem(name: "password", value: passwordField.text)
]...✅ Secure code example
import UIKit
func secureAuth(passwordField: UITextField) {
// Use POST request body instead of URL query params for sensitive data
guard let url = URL(string: "https://api.example.com/login") else { return }
var request = URLRequest(url: url)
request.httpMethod = "POST"
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.