web application – How risky are encoded auth and access token sent as base64 in a GET request


Lately, I have been doing a manual review of a web-application designed using python-flask,polymer js and node.js.

I was able to retrieve both auth and access-token since it was base64 encoded. The application developers say they have not exposed the api-endpoints.

So with the GET request
I can view a json formated file on web-browser in the data section is contained the base64 encoded request which looks like this (after utf-8 HTML decoding looks like)

{"id":"demouser","n":"demouser","friends":"","auth":"ed4b5a41d32ece8347394f9de59a8c1d","referer":"iridium-preprod.empiric.ai","accessToken":"0d7547ea912e3ce2a35572c8b9a755b1"}

I tried sending it with a different username instead of demouser i got 302 response. I’m using zap for testing. I want to know what be impact of this vulnerability in such scenario, is there a way i can replay this api get request outside application (logged-in) context. Thanks.