Javascript Sensitive Information In Url
Description
This detector identifies JavaScript code that exposes sensitive information in URLs, such as passwords, API keys, tokens, or personal data in query parameters or URL paths. Such exposure can lead to information disclosure through browser history, server logs, referrer headers, or network monitoring.
Detection Strategy
• Scans JavaScript code for URL construction or manipulation that includes sensitive data
• Identifies variables or literals containing sensitive information (passwords, tokens, keys, personal data) being concatenated or embedded into URLs
• Detects URL query parameters, fragments, or path segments that expose confidential information
• Flags code where sensitive data is passed through URL.searchParams, query string building, or direct URL concatenation
• Reports when sensitive information appears in URL-based navigation methods
Vulnerable code example
const express = require("express");
const app = express();
app.use(express.json());
app.get("/login", (req, res) => {
const password = req.query.password;
...✅ Secure code example
const express = require("express");
const app = express();
app.use(express.json());
app.post("/login", (req, res) => {
const password = req.body.password; // SECURE: Password from POST body, not URL
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.