Security Question: Sensitive information in URL
Article Number: 000017123 | Last Modified: 2018/06/12
Description
Issue Background
Sensitive information within URLs may be logged in various locations, including
the user's browser, the web server, and any forward or reverse proxy servers
between the two endpoints. URLs may also be displayed on-screen,
bookmarked or emailed around by users. They may be disclosed to third parties
via the Referer header when any off-site links are followed. Placing session
tokens into the URL increases the risk that they will be captured by an attacker.
Issue Detail
The URL in the request appears to contain a session token within the query
string:
• https://xxxxxxxxxx/QvAjaxZfc/QvsViewClient.aspx?public=only
&name=xx.htm&target=Document.xxx.ADD&session=%7BE374294A-686A-
4C85-81C3-
8141E1906B24%7D&host=QVS%40XXXXXXXXX&view=XXX%2FXXXX%20
BXXXX%XXXX.qvw&remote=%2FQvAjaxZfc%2FQvsViewClient.aspx&xrfk
ey=RZyai22pXwIPsotbXXXX
Resolution
It has been observed that sensitive information like session identifier and csrf token are passing through GET request.
Qlik Response
The session id identified in the GET request is not used to track or identify an authenticated user. It is instead used to keep track of selections done within an app. The sensitivity of this information is seen by Qlik as low.