Web Application Security Assessment: Sensitive Data Exposure Jessica The Sensitive Data Exposure Web Application Security assessment evaluates the application design to ensure it includes controls that reduce the exposure of critical and sensitive information.API: GET Web Application Security Evidence: Sensitive Data Exposure Secure Cookie Set on an Insecure Channel Session Token in URL Mixed Content HSTS Preload Directive Present Cookie SameSite Attribute Cookie SameSite Blocked Unsafe Referrer Policy Secure Cookie Set on an Insecure ChannelThe Secure flag instructs the browser to never pass a cookie over an insecure (e.g. non-HTTPS) channel; however, occasionally some websites set these cookies over insecure channels, defeating the purpose of the Secure flag. Some modern browsers will even ignore secure cookies set over an insecure medium.Finding Message: Secure cookie on insecure channelFramework References Organization Framework OWASP A02:2021 - Cryptographic Failures CWE CWE-319: Cleartext Transmission of Sensitive Information Grading & ConditionsCookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.Weight: Not ApplicablePossible Grades: Condition = Secure cookie set on insecure channel findings are informational only. MitigationEnsure the site is accessible through a secure connection. If that is not possible, ensure that the application does not depend on cookies with the Secure flag set.Session Token in URLSensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked, or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.Finding Message: A known session token pattern is present in a URLFramework References Organization Framework OWASP A04:2021 - Insecure Design CWE CWE-598: Use of GET Request Method With Sensitive Query Strings Grading & ConditionsWeight: Not ApplicablePossible Grades: Condition = We issue an informational finding when we find tokens that may be used as session identifiers being passed in a URL field. Session Token in URL findings are informational only. They are always NEUTRAL and they do not impact your rating. MitigationEven if this is an informational finding, users are advised to ensure that no session identifiers or otherwise sensitive information are passed via URL GET parameters.Mixed ContentSome websites will load insecure resources using HTTP even though the sites are being served over HTTPS. This is a security risk.Finding Message: Secure page included non-secure contentFramework References Organization Framework OWASP A02:2021 - Cryptographic Failures CWE CWE-319: Cleartext Transmission of Sensitive Information Grading & ConditionsWhenever an HTTPS website is visited, we list every resource that is insecure content (HTTP). Depending on the type of content, a web browser may block it from loading (blocked) and try to load it via a secure channel (HTTPS) (upgraded).Usually, the content that is blocked is more security sensitive, so we grade mixed content events using the following scale (there is a per event status limit to what counts against a hostname of 10 findings): Mixed Content Event Status Description Weight Content Upgraded The resource was automatically upgraded to HTTPS 0.1 Content Warning The resource could not be upgraded to HTTPS and was made available using HTTP (excluding insecure FORM resources) 10.0 Content Blocked The resource could not be upgraded to HTTPS and was blocked by the browser (including insecure FORM resources) 1000.0 For each website, we add the weights of these events and calculate a mixed content score, issuing the following grades based on its value:Minimum weight: 0Maximum weight: 10101Possible Grades: Weight = 0 Condition = Low number/low severity of mixed content events. Weight = Between >0 and <10 Condition = Medium number/medium severity of mixed content events. Content Score = Mixed_content_score < 10 Weight = Between ≥10 and <1000 Condition = Medium number/medium severity of mixed content events. Content Score = 10 ≤ mixed_content_score < 1000 Weight = Between ≥1000 and ≤10101 Condition = High number/high severity of mixed content events. Content Score = mixed_content_score ≥ 1000 MitigationThe best strategy to avoid mixed content blocking is to serve all content as HTTPS instead of HTTP. Website owners should ensure that every resource loaded from an HTTPS website is loaded securely.HSTS Preload Directive PresentHTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.Framework References Organization Framework OWASP A02:2021 - Cryptographic Failures CWE CWE-319: Cleartext Transmission of Sensitive Information Grading & ConditionsWeight: -0.1 ❖Possible Grades: Weight = -0.1 Condition = The Strict-Transport-Security header is set with the preload directive. MitigationWebsite owners should configure HSTS headers correctly.Cookie SameSite AttributeSameSite attributes prevent cookies from being passed to cross-origin browsing contexts and are one mitigating technique to prevent cross-site request forgery.Finding Message: Cookie set without the SameSite attribute definedFramework References Organization Framework OWASP A01:2021 - Broken Access Control CWE CWE-1275: Sensitive Cookie with Improper SameSite Attribute Grading & ConditionsCookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.Weight: Not ApplicablePossible Grades: Condition = Cookie SameSite Attribute findings are informational only. They are always NEUTRAL and they do not impact the rating. MitigationIn general, session and other tracking cookies should be explicit about how permissive the use of the cookie can be across origins. The current default behavior on most modern browsers is SameSite=Lax, which may be too permissive for session cookies on some web applications.Cookie SameSite BlockedThe SameSite cookie attribute allows website owners to restrict where and when cookies may be sent. It allows for greater control over the use of third-party tracking cookies on a given website and helps to prevent attacks such as Cross-Site Request Forgery (CSRF).Finding Message: A cookie was blocked due to SameSite policy violationFramework References Organization Framework OWASP A01:2021 - Broken Access Control CWE CWE-1275: Sensitive Cookie with Improper SameSite Attribute Grading & ConditionsCookies that do not contain sensitive information and are outside the control of the website owner are ignored. For more information, check the Cookie Assessment Exclusion.Minimum weight: 0Maximum weight: 0.1Possible Grades: Weight = 0 Condition = No Issues with blocked cookies exist. Weight = 0.1 Condition = At least one of the following issues exists: The website is loading resources from a third-party site that has cookies that were blocked due to a SameSite policy. The website is attempting to set a cookie with SameSite=None, but is not setting the secure cookie flag. MitigationAs of July 14, 2020, Google Chrome and most browsers have adopted the default cookie policy of SameSite=Lax. This means that for third-party cookies to be sent when loading external resources, they need to be explicitly set with the SameSite=None policy as well as the secure flag to be loaded.Unsafe Referrer PolicyThe Referrer-Policy header tells the browser what referrer information should be passed on to navigation. In some policy configurations, sensitive user data may be leaked outside of secure channels.Finding Message: Referrer-Policy defined with unsafe-urlFramework References Organization Framework OWASP A02:2021 - Cryptographic Failures CWE CWE-319: Cleartext Transmission of Sensitive Information Grading & ConditionsMinimum Weight: 0Maximum weight: 0.1Possible Grades: Weight = 0 Weight = 0.1 Condition = The website contains the unsafe-url Referrer Policy. We scan each website looking for the Referrer-Policy: unsafe-url header. This header specifies that this website will pass its referrer information in full to other linked sites, including any query parameters, if present. MitigationWebsite owners should avoid leaking internal URLs to third parties when possible. March 26, 2026: Unsafe Referrer Policy grading updates. March 4, 2025: Updated weights per changes implemented December 16, 2024. January 15, 2025: Linked to finding messages. December 5, 2024: Moved to a more exclusive section; Linked to secure cookie (allowlist) resource; Linked to CSRF definition. Related articles Web Application Security Assessment: Broken Authentication and Access Control How is the Web Application Security Risk Vector Assessed? How is the Web Application Headers Risk Vector Assessed? TLS/SSL Finding Remediation & Remediation Verification Verifying That a Finding Is Remediated Feedback 0 comments Please sign in to leave a comment.