HIGHCWE-319Secret Exposure
Password in Query String
Description
Sensitive data such as passwords or tokens are transmitted in URL query strings, where they are logged by servers, proxies, and analytics.
How Vezraa Detects It
We scan your app for forms that submit to URLs containing query parameters like ?password=, ?token=, or ?api_key=.
Real-World Impact
Passwords and tokens appear in server logs, browser history, referrer headers, and analytics platforms — accessible to anyone with log access.
Fix Example
// BAD — password in query <form action="/login?password=abc123"> // GOOD — POST with body <form method="POST" action="/login">
Affected Stacks
All web apps