Problem/Motivation
Passing sensitive tokens (like access tokens, session tokens, or auth tokens) in the URL, especially during logout, is insecure. URLs are often logged in browser history, server logs, proxy logs, and analytics systems. This can lead to unintentional exposure of sensitive information and possible session hijacking if the token remains valid.
Steps to reproduce
While analyzing the logout functionality, it was observed that the token was passed in the URL as a query parameter ( https://new.drupal.org/user/logout?token=7Yl4PprbW-TUhdXVM2c39NySlPeWxPp...). This was identified by intercepting the logout request using Burp Suite, where the token value appeared in the request URL instead of a secure location like headers or request body.
Proposed resolution
● Do not pass sensitive tokens in the URL.
● Use HTTP headers (e.g., Authorization: Bearer ) or secure cookies.
● Use POST method for logout instead of GET to prevent caching and URL exposure.
● Ensure token invalidation: Invalidate the session or token immediately after logout to
prevent reuse.
● Implement secure logging: Mask or exclude sensitive values from logs and monitoring
tools.
● Use HTTPS: Always ensure tokens and sensitive data are transmitted over secure
connections.
Impact
1. Token Leakage in Logs: URLs can be stored in browser history, server access logs, or proxies, leading to token leakage.
2. Session Hijacking: If the token is not invalidated properly and is exposed through logs, an attacker may reuse it to impersonate the user.
3. Unintended Sharing: If users bookmark or share the URL, they might unknowingly expose the token.
4. Security Policy Violations: Violates security best practices and may impact compliance with data protection standards (e.g., GDPR, HIPAA).