C-70%
Quality Score
8
Pages
219
Issues
7.4
Avg Confidence
7.4
Avg Priority
45 Critical119 High53 Medium2 Low
>_ Testers.AI
AI Analysis
Marks & Spencer scored B (85%) with 219 issues across 7 tested pages, ranking #22 of 22 UK retail sites. That's 95 more than the 123.7 category average (0th percentile).
Top issues to fix immediately: "JWT Token Exposed in Network Request URL" โ 1) Move authentication token from URL query parameter to HTTP Authorization header or POST body; "Multiple JWT Tokens Exposed in Session Data URLs" โ 1) Remove authentication tokens from URL-transmitted data; "Unencrypted User Email and Account Data Sent to Tracking Service in Im" โ 1) Never send user personal data (email, name, gender, account type) to third-party analytics via tracking pixels.
Weakest area โ accessibility (6/10): Text contrast appears adequate in most areas, but some smaller text may be difficult for vision-impaired users.
Quick wins: Enhance color contrast ratios for better readability, especially for smaller text elements. Implement clearer ARIA labels and alt text for all product images to improve screen reader compatibility.
Qualitative Quality
Marks & Spencer
Category Avg
Best in Category
Pages Tested ยท 8 screenshots
Homepage
marksandspencer.com
marksandspencer.com
marksandspencer.com
marksandspencer.com
marksandspencer.com
marksandspencer.com
marksandspencer.com
Detected Issues ยท 219 total
1
JWT Token Exposed in Network Request URL
CRIT P10
Prompt to Fix
SECURITY FIX REQUIRED: A JWT authentication token has been found embedded in a URL query parameter sent to click.prod.mplat-ppcprotect.com, visible in browser console logs. This creates multiple security vulnerabilities: tokens in URLs are logged by browsers, proxies, and servers, enabling session hijacking and token replay attacks. Immediately refactor the authentication mechanism to: 1) Remove the 'token' parameter from the URL. 2) Transmit authentication credentials via HTTP Authorization header with Bearer scheme instead. 3) If using POST requests, move token to request body instead of query parameters. 4) Implement token expiry and rotation policies. 5) Add security headers like Strict-Transport-Security and X-Content-Type-Options. Verify the fix by confirming tokens no longer appear in network request URLs in browser DevTools.
Why it's a bug
A JWT token is embedded in a network request URL visible in console logs: 'token=eyJoYkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKaFkyTnZkVzUwWDJsa0lqb3hOalF3TVgwLjktb1lhX0pxekQ3Nll4WGR5VUdvTmpQYU82X1dEalBSZHlVVVR6M0ktSXM'. This token is transmitted in a URL parameter to 'click.prod.mplat-ppcprotect.com', which violates CSP policy. URL-based token transmission is logged in browser history, server logs, and proxies, creating multiple exposure vectors. This enables session hijacking, token replay attacks, and account takeover.
Why it might not be a bug
The CSP policy is report-only mode, so the request technically still executes. However, this does not mitigate the security risk of token exposure in URLs.
Suggested Fix
1) Move authentication token from URL query parameter to HTTP Authorization header or POST body. 2) Implement short-lived tokens with expiry. 3) Add token binding to specific client contexts. 4) Implement token rotation on sensitive operations. 5) Monitor for token leakage in logs and network captures.
Why Fix
Tokens in URLs are logged by browsers, proxies, and servers. Header-based authentication prevents accidental logging. This blocks session hijacking and replay attack vectors that directly compromise user accounts.
Route To
Backend Authentication Engineer / Security Engineer
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[INFO] Connecting to 'https://click.prod.mplat-ppcprotect.com/v2/recv?lpn=n&plat=&data=eyJjbGllbnRfZGF0YSI6eyJocmVmIjoiaHR0cHM6Ly93d3cubWFya3NhbmRzcGVuY2VyLmNvbS91cy9sL29mZmVycy9zcGFya3MvIiwidG9rZW4iOiJleUpoYkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKaFkyTnZkVzUwWDJsa0lqb3hOalF3TVgwLjktb1lhX0pxekQ3Nll4WGR5VUdvTmpQYU82X1dEalBSZHlVVVR6M0ktSXMiLCJjbGllbnRfaWQiOjAsImx1bmlvX3Nlc3Npb25faWQiOiJhMDY2YjE2Yi00YTgwLTQ1MjMtYjdkMi1lZGVlMzhkNzIwZjAifX0'Network:
POST to click.prod.mplat-ppcprotect.com with JWT token in URL2
Multiple JWT Tokens Exposed in Session Data URLs
CRIT P10
Prompt to Fix
CRITICAL SECURITY VULNERABILITY: Multiple JWT tokens and session identifiers are being transmitted in URL parameters to click.prod.mplat-ppcprotect.com, visible in browser console. The 'data' parameter contains base64-encoded JSON with plaintext authentication tokens that are logged, cached, and intercepted. This is a critical vulnerability enabling account takeover. IMMEDIATE ACTION: 1) Cease all token transmission via URL parameters. 2) Move tokens to HTTP Authorization header using Bearer scheme. 3) Use secure httpOnly, Secure, SameSite cookies for session state instead of URL parameters. 4) Implement token expiration (15-60 minute lifetime). 5) Implement refresh token rotation on new access token issuance. 6) Audit all outbound requests to ensure no tokens appear in URLs or visible logs. 7) Implement Content Security Policy in enforce mode (not report-only) to block unwhitelisted domains. Test by verifying no tokens appear in network tab of DevTools and that all authentication uses Authorization headers.
Why it's a bug
Multiple JWT tokens are exposed in the 'data' parameter of network requests sent to click.prod.mplat-ppcprotect.com. The embedded JSON contains 'token': 'eyJoYkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKaFkyTnZkVzUwWDJsa0lqb3hOalF3TVgwLjktb1lhX0pxekQ3Nll4WGR5VUdvTmpQYU82X1dEalBSZHlVVVR6M0ktSXM' and 'lunio_session_id': 'a066b16b-4a80-4523-b7d2-edee38d72f0'. These tokens are visible in console logs, transmitted over network, and logged by intermediaries. This enables credential theft, session hijacking, and account takeover attacks.
Why it might not be a bug
The CSP policy is report-only and does not block the requests, but this does not mitigate the fundamental token exposure vulnerability.
Suggested Fix
1) Remove authentication tokens from URL-transmitted data. 2) Use HTTP Authorization headers for token transmission. 3) Implement secure, httpOnly cookies for session management. 4) Use short-lived access tokens with refresh token rotation. 5) Remove token values from all network logs and console output. 6) Implement Content Security Policy in enforce mode to block unauthorized endpoints.
Why Fix
Session tokens and JWT credentials exposed in URLs are intercepted by proxies, logged in browser history, server logs, and shared in error reports. This directly enables account takeover. Proper token transmission through secure headers and cookies prevents exposure.
Route To
Security Engineer / Backend Authentication Engineer
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[INFO] Connecting to 'https://click.prod.mplat-ppcprotect.com/v2/recv?lpn=n&plat=&data=eyJjbGllbnRfZGF0YSI6eyJocmVmIjoiaHR0cHM6Ly93d3cubWFya3NhbmRzcGVuY2VyLmNvbS91cy9sL29mZmVycy9zcGFya3MvIiwidG9rZW4iOiJleUpoYkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKaFkyTnZkVzUwWDJsa0lqb3hOalF3TVgwLjktb1lhX0pxekQ3Nll4WGR5VUdvTmpQYU82X1dEalBSZHlVVVR6M0ktSXMiLCJjbGllbnRfaWQiOjAsImx1bmlvX3Nlc3Npb25faWQiOiJhMDY2YjE2Yi00YTgwLTQ1MjMtYjdkMi1lZGVlMzhkNzIwZjAifX0' violates the following Content Security Policy directiveNetwork:
Multiple POST requests to click.prod.mplat-ppcprotect.com containing JWT and session tokens3
Unencrypted User Email and Account Data Sent to Tracking Service in Image Beacon
CRIT P10
Prompt to Fix
You are fixing a critical privacy issue where a user data structure (including email, name, gender, account_type) is being transmitted to a third-party tracking service via image beacon URLs. The issue: Even though current values are empty, the infrastructure exists to send PII via nova.collect.igodigital.com in plaintext URL-encoded JSON. This violates GDPR and CCPA. Fix this by: 1) Remove the user_info object entirely from tracking pixel payloads sent to igodigital.com. 2) Implement a data minimization layer that strips all PII fields before constructing analytics payloads. 3) Migrate from image beacon tracking to server-side event tracking that never exposes user data in client-side logs. 4) Add validation logic that prevents any email, name, phone, or personally identifiable field from being included in third-party tracking URLs. 5) Redact all user_info structures from console logs before they reach the browser console. Code should check for email patterns, name fields, and account identifiers and remove them before any tracking call is made.
Why it's a bug
Console logs reveal user data being transmitted to nova.collect.igodigital.com via image beacons with unencrypted query parameters. The payload contains sensitive user information including: page title, full URL, user email (though empty in this case), gender, name, and account type. This data is sent in plaintext URL parameters that are: 1) Visible in browser logs and browser history, 2) Interceptable by network eavesdropping (if not HTTPS), 3) Visible to any browser extension or malicious script, 4) Logged by ISPs and network proxies. The fact that this is done via image beacon suggests an attempt to hide the tracking from users. Even though the email field appears empty here, the infrastructure is in place to transmit PII.
Why it might not be a bug
The user_info object has empty values (email='', name='', gender='N/A'), so no actual PII is currently being transmitted in these specific logs. However, the infrastructure exists to transmit PII, and the logs show the exact structure being used to exfiltrate personal data.
Suggested Fix
1) Never send user personal data (email, name, gender, account type) to third-party analytics via tracking pixels. 2) Use server-side tracking instead of client-side image beacons for sensitive data. 3) If third-party tracking is required, anonymize or hash personally identifiable fields before transmission. 4) Implement data minimization - only send necessary event data, not user profile information. 5) Redact user_info object entirely from console logs. 6) Use encrypted payloads with TLS 1.3 and consider additional encryption for sensitive parameters.
Why Fix
Transmitting personal data via tracking pixels violates privacy regulations (GDPR Article 5, CCPA ยง1798.100) and compromises user privacy. Fixing this prevents unauthorized collection and transmission of personal information to third parties.
Route To
Privacy Engineer / Data Protection Officer / Backend Engineer
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
[INFO] Loading the image 'https://nova.collect.igodigital.com/c2/1395628/track_page_view?payload=%7B%22title%22%3A%22Join%20M%26S%20Sparks%20%7C%20Sparks%20Card%20Rewards%20%7C%20M%26S%20US%20US%22%2C%22url%22%3A%22https%3A%2F%2Fwww.marksandspencer.com%2Fus%2Fl%2Foffers%2Fsparks%2F%22%2C%22referrer%22%3A%22%22%2C%22user_info%22%3A%7B%22email%22%3A%22%22%2C%22details%22%3A%7B%22gender%22%3A%22N%2FA%22%2C%22name%22%3A%22%22%2C%22account_type%22%3A%22Anonymous%22%7D%7D%7D'Network:
nova.collect.igodigital.com tracking pixel containing user profile data structure