Skip to content
← Back to Vulnerability Database
HIGHCWE-319Secret Exposure

Password in Query String

Description

Sensitive data such as passwords or tokens are transmitted in URL query strings, where they are logged by servers, proxies, and analytics.

How Vezraa Detects It

We scan your app for forms that submit to URLs containing query parameters like ?password=, ?token=, or ?api_key=.

Real-World Impact

Passwords and tokens appear in server logs, browser history, referrer headers, and analytics platforms — accessible to anyone with log access.

Fix Example

// BAD — password in query
<form action="/login?password=abc123">

// GOOD — POST with body
<form method="POST" action="/login">

Affected Stacks

All web apps

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Password in Query String — Vulnerability Database | Vezraa