current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 98 down vote favorite
46

Lately I've seen plenty of APIs designed like this:

curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY"

Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.

share|improve this question
3  
It is not a good practice to pass sensitive information in URL. In the above case, I am sure that the server must be doing some additional validation (validating the session cookie etc.) after receiving the request from the client. – Piyush Saurabh Mar 30 '16 at 8:41
11  
@PiyushSaurabh, it's rest api, what cookies? – アレックス Mar 30 '16 at 10:50
72  
it's worth noting that with HTTPS the hostname (api.somewebsite.com) is passed in the clear but the full URL is not, so it will not be susceptible to casual traffic sniffing attacks in that case. – Rоry McCune Mar 30 '16 at 11:36
22  
@アレックス The TLS handshake is completed (using the domain part of the address) before the specific path is requested - the path is therefore within the encrypted traffic - see security.stackexchange.com/a/20847/89876 for full details. – Matthew Mar 30 '16 at 12:48
9  
The reason you don't put passwords in a URL normally is because they show up in browser history and in the URL bar. Those are irrelevant if the client is not a browser. – immibis Mar 31 '16 at 4:25
up vote 132 down vote accepted

Summary: Capability URLs are a lot more secure than people give them credit for.

These type of URLs are commonly known as capability / secret URLs.

It's meaningless to talk about security without specifying a threat model. Here are a couple that come to mind:

  • 1: A passive attacker on the network (eavesdroping)
  • 2: An active attacker on the network (can change packets at will, mitm, etc)
  • 3: A shoulder-surfer
  • 4: An attacker with physical access to your computer / elevated privileges
  • 5: another user of your computer (regular privileges / remote access)
  • 6: the user itself (as in protecting a API key)

Regarding network attacks (1 and 2), secret URLs are perfectly secure, provided you're using HTTPS (it's 2016, you shouldn't be using HTTP anymore!).

While the hostname of a server is sent in plaintext over the network, the actual URL is encrypted before being sent to the server - as it's part of the GET request, which only occurs after the TLS handshake.

Regarding shoulder-surfing (3), a secret URL with enough entropy is reasonably secure against a casual attack· As an example, I'll give a google docs URL:

https://docs.google.com/document/d/5BPuCpxGkVOxkjTG0QrS-JoaImEE-kNAi0Ma9DP1gy

Good luck remembering that while passing by a co-worker's screen!

Obviously, if your attacker has a camera and can take a picture without being noticed, it's an entirely different matter - you shouldn't use a secret URL in that situation.

Regarding an attacker with elevated privileges on your computer (4), a secret URL is not less secure than a long password or even a client-side TLS certificate - as all of those are actually completely insecure, and there's not much you can do about that.

An attacker with regular privileges (5), on the other hand, should not be able to learn the secret URL as well, as long as you follow good security practices for your OS. Your files (particularly browser history) should not be readable by other users.

For protecting API keys (6, which was the point of this question), a secret URL is also no-less-secure than another mechanism (such as an AJAX POST). Anyone that has an use for an API key will know how to use the browser debug mode to get the key.

It's not reasonable to send someone a secret and expect them not to look at it!

Some people have asked about the risks on the server side.

It's not reasonable to treat server-side risks by threat modelling; from a user perspective, you really have to treat the server as a trusted third party, as if your adversary has internal network access on the server side, there's really nothing you can do (very much like a privileged attacker on the client's computer, i.e. threat model 4 above).

Instead of modelling attacks, I'll outline common risks of unintentional secret exposure.

The most common concern with using secret URLs on the server side is that both HTTP server and reverse proxies keep logs, and the URL is very often included.

Another possibility is that the secret URLs could be generated in a predictable way - either because of a flawed implementation, a insecure PRNG, or giving insufficient entropy when seeding it.

There are also many caveats that have to be taken into consideration when designing a site that uses secret URLs. This page by W3C TAG covers many of them.

In practice, for sites with dynamic content, it's quite hard to get everything done securely - both Google and Dropbox botched it in the past, as mentioned on this answer

Finally, secret URLs have a couple of advantages over other authentication methods:

  • They are extremely easy to use (just click the link, as opposed to entering your email and password)
  • They don't require the server / service to securely store sensitive user credentials
  • They are easily shareable without risks, unlike sharing you password (which you reuse for 50 other sites).
share|improve this answer
1  
@アレックス What do you mean? I don't think I used the term "secure URL" in my answer – goncalopp Mar 30 '16 at 15:25
51  
"(it's 2016, you shouldn't be using HTTP anymore!)" Tell that to SE, all the meta sites (except the main meta.se itself) have certification problems and they're not going to fix that any time soon. – Mast Mar 30 '16 at 15:52
5  
These URLs are known as "capability URLs" in some places. A good discussion can be found here: w3ctag.github.io/capability-urls – Martin Thomson Mar 30 '16 at 23:16
3  
If implementing such a thing, remember that most webservers log the url, which might or might not be desirable. – Johannes Kuhn Mar 31 '16 at 3:58
7  
@mast [citation needed] on where we're not fixing it any time soon? We are very actively working on HTTPS, it's just not an easy problem to solve. We have multiple blog posts on the issue, and a new one coming in the future (undetermined date, few things up in the air) – Mark Henderson Mar 31 '16 at 11:12
up vote 22 down vote

It depends on how that API is meant to be used and what type of data it is accessing. Something that accesses google maps (for example) is much lower risk than something accessing banking data.

Obviously a call like that in client side code is insecure, the user can easily learn your API key.

If the API call is made server to server, then it's less of an issue.

Using HTTP would leave the connection open to eavesdropping, HTTPS removes that problem.

Another problem with keys in the URL is the full url ends up in log files. That expands the attack surface for the app, as there are now more places to look for the key.

To answer your question, It's not that passing keys in the URL is inherently insecure, rather it's less secure than alternatives and not best practice. Assuming the API isn't accessing something sensitive, the connection is over HTTPS and the call is made server to server, it should be 'good enough' for low risk services.

share|improve this answer
    
1) how does https remove this problem if the url is always in plain text? 2) if it wasn't something sensitive, there would be no api key. 3) it's curl, it's not server to server. – アレックス Mar 30 '16 at 10:52
34  
Why would you assume that accessing Google Maps would be less dangerous than accessing banking data? I happen to know one guy who would prefer that hackers empty his bank account than his wife find out where he goes on lunch breaks. The point is, when designing a secure system, you cannot make any assumptions. – dotancohen Mar 30 '16 at 13:06
2  
"Obviously a call like that in client side code is insecure, the user can easily learn your API key. " A user can just as easily learn an API key that is sent in any other way - it's their computer. A user that is not technically able to get an API key from a POST request wouldn't have much use for it! – goncalopp Mar 30 '16 at 13:20
11  
@dotancohen the API key for Google Maps (as far as I know) is just to keep track of how many calls are made to the Maps API from your app, because free users have a limit. So there shouldn't be a security risk like finding out specific locations. However, I see your overall point and I agree with it. – DasBeasto Mar 30 '16 at 13:24
3  
I think whenever we discuss web security, there is always the assumption that the two parties engaged in the dialog trust each other at least to some extent. If I send you an encrypted message, it's ok for both you and myself to know the contents of the message. The security is there to prevent third parties from accessing it. So all arguments about log files on the server, or debug console in the browser etc. are irrelevant; if the server is the attacker then no, this is not secure. And if we send the client a message then yes, he can read it. – Stijn de Witt Mar 31 '16 at 18:49
up vote 10 down vote

It is not a good idea to pass secrets as GET parameters in general. I compiled a list on my blog a while ago on the potential security issues:

Secrets may leak to other parties as the following:

From your computer / smartphone

Server-side

  • Web server logs
  • Log aggregating services such as SIEM, Elasticsearch, Splunk
  • Log files indexed by search engines (relevant Google dork)
  • Reverse proxy logs

To Third-parties

  • Proxy logs (e.g. in an enterprise environment)
  • Exception reporting services such as Rollbar or Sentry
  • Other websites via the Referer header
  • A friend, in case the URL is shared in an email or IM message
  • Fellow tenants in a public cloud

Some of them is not applicable to Ajax requests, but ymmv

share|improve this answer
up vote 0 down vote

I wonder why nobody explicitly mentions the risk of session fixation and CSRF vulnerabilities. Of course you can mitigate these by adding CSRF tokens and implement secure session handling but this implies that you actually have control over the relevant code.

Since this question has the title A secret in a URL some people could come to the conclusion that it's sufficient if they implement some mitigating measures around instead of seeing it as possible attack vector which can be avoided.

share|improve this answer
    
could you elaborate on session fixation? – アレックス Jul 30 '16 at 5:10

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.