diff --git a/js/common.js b/js/common.js
index 08a4907..f0482ae 100644
--- a/js/common.js
+++ b/js/common.js
@@ -21,11 +21,13 @@ require('./bootstrap-3.3.7');
 require('./privatebin');
 
 // internal variables
-var a2zString = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
-                     'n','o','p','q','r','s','t','u','v','w','x','y','z'],
-    alnumString = a2zString.concat(['0','1','2','3','4','5','6','7','8','9']),
-    queryString = alnumString.concat(['+','%','&','.','*','-','_']),
-    hashString = queryString.concat(['!']),
+var a2zString    = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
+                    'n','o','p','q','r','s','t','u','v','w','x','y','z'],
+    digitString  = ['0','1','2','3','4','5','6','7','8','9'],
+    alnumString  = a2zString.concat(digitString),
+    hexString    = digitString.concat(['a','b','c','d','e','f']),
+    queryString  = alnumString.concat(['+','%','&','.','*','-','_']),
+    hashString   = queryString.concat(['!']),
     base64String = alnumString.concat(['+','/','=']).concat(
         a2zString.map(function(c) {
             return c.toUpperCase();
@@ -118,6 +120,11 @@ exports.jscAlnumString = function() {
     return jsc.elements(alnumString);
 };
 
+//provides random characters allowed in hexadecimal notation
+exports.jscHexString = function() {
+    return jsc.elements(hexString);
+};
+
 // provides random characters allowed in GET queries
 exports.jscQueryString = function() {
     return jsc.elements(queryString);
diff --git a/js/privatebin.js b/js/privatebin.js
index f4bb3ca..766e612 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1026,13 +1026,44 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.getPasteId = function()
         {
-            if (id === null) {
-                // Attention: This also returns the delete token inside of the ID, if it is specified
-                id = window.location.search.substring(1);
+            const idRegEx = /^[a-z0-9]{16}$/;
+            const idRegExFind = /[a-z0-9]{16}/;
 
-                if (id === '') {
-                    throw 'no paste id given';
+            // return cached value
+            if (id !== null) {
+                return id;
+            }
+
+            // do use URL interface, if possible
+            if (window.URL && window.URL.prototype && ('searchParams' in window.URL.prototype)) {
+                try {
+                    const url = new URL(window.location);
+
+                    for (const param of url.searchParams) {
+                        const key = param[0];
+                        const value = param[1];
+
+                        if (value === '' && idRegEx.test(key)) {
+                            // safe, as the whole regex is matched
+                            id = key;
+                            return id;
+                        }
+                    }
+                } catch (e) {
+                    // fallback below
+                    console.error('URL interface not properly supported, error:', e);
                 }
+            } else {
+                console.warn('URL interface appears not to be supported in this browser.');
+            }
+
+            // fallback to simple RegEx
+            console.warn('fallback to simple RegEx search');
+            // Attention: This also returns the delete token inside of the ID, if it is specified
+            id = (window.location.search.match(idRegExFind) || [''])[0];
+
+            if (id === '') {
+                throw 'no paste id given';
             }
 
             return id;
diff --git a/js/test/Model.js b/js/test/Model.js
index f9acc5c..d5a92b3 100644
--- a/js/test/Model.js
+++ b/js/test/Model.js
@@ -81,18 +81,23 @@ describe('Model', function () {
             'returns the query string without separator, if any',
             jsc.nearray(common.jscA2zString()),
             jsc.nearray(common.jscA2zString()),
-            jsc.nearray(common.jscHashString()),
+            jsc.tuple(new Array(16).fill(common.jscHexString)),
+            jsc.array(common.jscQueryString()),
+            jsc.array(common.jscQueryString()),
             'string',
-            function (schema, address, query, fragment) {
-                var queryString = query.join(''),
-                    clean = jsdom('', {
+            function (schema, address, pasteId, queryStart, queryEnd, fragment) {
+                var pasteIdString    = pasteId.join(''),
+                    queryStartString = queryStart.join('') + (queryStart.length > 0 ? '&' : ''),
+                    queryEndString   = (queryEnd.length > 0 ? '&' : '') + queryEnd.join(''),
+                    queryString      = queryStartString + pasteIdString + queryEndString,
+                    clean            = jsdom('', {
                         url: schema.join('') + '://' + address.join('') +
                              '/?' + queryString + '#' + fragment
                     }),
                     result = $.PrivateBin.Model.getPasteId();
                 $.PrivateBin.Model.reset();
                 clean();
-                return queryString === result;
+                return pasteIdString === result;
             }
         );
         jsc.property(
diff --git a/js/test/Prompt.js b/js/test/Prompt.js
index 310c424..94abaab 100644
--- a/js/test/Prompt.js
+++ b/js/test/Prompt.js
@@ -16,7 +16,7 @@ describe('Prompt', function () {
             'string',
             function (password) {
                 password = password.replace(/\r+/g, '');
-                var clean = jsdom('', {url: 'ftp://example.com/?0'});
+                var clean = jsdom('', {url: 'ftp://example.com/?0000000000000000'});
                 $('body').html(
                     '<div id="passwordmodal" class="modal fade" role="dialog">' +
                     '<div class="modal-dialog"><div class="modal-content">' +
diff --git a/lib/Request.php b/lib/Request.php
index 65549a9..3e6e902 100644
--- a/lib/Request.php
+++ b/lib/Request.php
@@ -72,6 +72,27 @@ class Request
      */
     private $_isJsonApi = false;
 
+    /**
+     * Return the paste ID of the current paste.
+     *
+     * @access private
+     * @return string
+     */
+    private function getPasteId()
+    {
+        // RegEx to check for valid paste ID (16 base64 chars)
+        $pasteIdRegEx = '/^[a-f0-9]{16}$/';
+
+        foreach ($_GET as $key => $value) {
+            // only return if value is empty and key matches RegEx
+            if (($value === '') and preg_match($pasteIdRegEx, $key, $match)) {
+                return $match[0];
+            }
+        }
+
+        return 'invalid id';
+    }
+
     /**
      * Constructor
      *
@@ -100,7 +121,7 @@ class Request
             array_key_exists('QUERY_STRING', $_SERVER) &&
             !empty($_SERVER['QUERY_STRING'])
         ) {
-            $this->_params['pasteid'] = $_SERVER['QUERY_STRING'];
+            $this->_params['pasteid'] = $this->getPasteId();
         }
 
         // prepare operation, depending on current parameters
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 3d9a843..25dbf1a 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -71,7 +71,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-DctI/LNueHnbinNWC5AhsfMgABi8pGW7SnF5Q0fg68Cv/rDznb/htcdsnlQzQOxRvSzVKNHW+OOkvOxgIY/qkg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qHTvFreACpXmDG5WUwZdsbV9ZcnMqfi+OCgmPRY7TjZVuaS9GqpvhH+EiTZh5rGUPvHr/jPCa1X9LHwgVlKi/g==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index fa368fc..4165e72 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -49,7 +49,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-DctI/LNueHnbinNWC5AhsfMgABi8pGW7SnF5Q0fg68Cv/rDznb/htcdsnlQzQOxRvSzVKNHW+OOkvOxgIY/qkg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qHTvFreACpXmDG5WUwZdsbV9ZcnMqfi+OCgmPRY7TjZVuaS9GqpvhH+EiTZh5rGUPvHr/jPCa1X9LHwgVlKi/g==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tst/ConfigurationTestGenerator.php b/tst/ConfigurationTestGenerator.php
index ccf7c82..0aaec88 100755
--- a/tst/ConfigurationTestGenerator.php
+++ b/tst/ConfigurationTestGenerator.php
@@ -507,6 +507,7 @@ EOT;
                 $code .= PHP_EOL . <<<'EOT'
         $this->_model->create(Helper::getPasteId(), Helper::getPaste());
         $_SERVER['QUERY_STRING'] = Helper::getPasteId();
+        $_GET[Helper::getPasteId()] = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
 EOT;
                 break;
diff --git a/tst/ControllerTest.php b/tst/ControllerTest.php
index 432c829..88d5301 100644
--- a/tst/ControllerTest.php
+++ b/tst/ControllerTest.php
@@ -680,6 +680,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     public function testReadInvalidId()
     {
         $_SERVER['QUERY_STRING']          = 'foo';
+        $_GET['foo']                      = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -696,6 +697,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     public function testReadNonexisting()
     {
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -714,6 +716,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $expiredPaste = Helper::getPaste(array('expire_date' => 1344803344));
         $this->_model->create(Helper::getPasteId(), $expiredPaste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -732,6 +735,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $paste = Helper::getPaste(array('burnafterreading' => true));
         $this->_model->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -760,6 +764,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $paste = Helper::getPaste();
         $this->_model->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -790,6 +795,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         );
         $this->_model->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
@@ -897,6 +903,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $_POST['deletetoken']             = 'burnafterreading';
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'POST';
         ob_start();
@@ -917,6 +924,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $_POST['deletetoken']             = 'burnafterreading';
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'POST';
         ob_start();
diff --git a/tst/JsonApiTest.php b/tst/JsonApiTest.php
index 1f8d53a..6914d3f 100644
--- a/tst/JsonApiTest.php
+++ b/tst/JsonApiTest.php
@@ -82,6 +82,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
         file_put_contents($file, http_build_query($paste));
         Request::setInputStream($file);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'PUT';
         $_SERVER['REMOTE_ADDR']           = '::1';
@@ -117,6 +118,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
         )));
         Request::setInputStream($file);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'DELETE';
         ob_start();
@@ -164,6 +166,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
         unset($paste['attachmentname']);
         $this->_model->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
+        $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         ob_start();
         new Controller;
diff --git a/tst/RequestTest.php b/tst/RequestTest.php
index 29b0dad..e5567d6 100644
--- a/tst/RequestTest.php
+++ b/tst/RequestTest.php
@@ -21,6 +21,36 @@ class RequestTest extends PHPUnit_Framework_TestCase
         $_POST   = array();
     }
 
+    /**
+     * Returns 16 random hexadecimal characters.
+     *
+     * @access public
+     * @return string
+     */
+    public function getRandomId()
+    {
+        // 8 binary bytes are 16 characters long in hex
+        return bin2hex(random_bytes(8));
+    }
+
+    /**
+     * Returns random query safe characters.
+     *
+     * @access public
+     * @return string
+     */
+    public function getRandomQueryChars()
+    {
+        $queryChars     = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=';
+        $queryCharCount = strlen($queryChars) - 1;
+        $resultLength   = random_int(1, 10);
+        $result         = '';
+        for ($i = 0; $i < $resultLength; ++$i) {
+            $result .= $queryChars[random_int(0, $queryCharCount)];
+        }
+        return $result;
+    }
+
     public function testView()
     {
         $this->reset();
@@ -33,24 +63,27 @@ class RequestTest extends PHPUnit_Framework_TestCase
     public function testRead()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
 
     public function testDelete()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
-        $_GET['pasteid']           = 'foo';
+        $_GET['pasteid']           = $id;
         $_GET['deletetoken']       = 'bar';
         $request                   = new Request;
         $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
         $this->assertEquals('delete', $request->getOperation());
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('bar', $request->getParam('deletetoken'));
     }
 
@@ -84,74 +117,103 @@ class RequestTest extends PHPUnit_Framework_TestCase
     public function testApiRead()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
         $_SERVER['HTTP_ACCEPT']    = 'application/json, text/javascript, */*; q=0.01';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
 
     public function testApiDelete()
     {
         $this->reset();
+        $id                               = $this->getRandomId();
         $_SERVER['REQUEST_METHOD']        = 'POST';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
-        $_SERVER['QUERY_STRING']          = 'foo';
+        $_SERVER['QUERY_STRING']          = $id;
+        $_GET                             = array($id => '');
         $_POST['deletetoken']             = 'bar';
         $request                          = new Request;
         $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
         $this->assertEquals('delete', $request->getOperation());
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('bar', $request->getParam('deletetoken'));
     }
 
     public function testReadWithNegotiation()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
         $_SERVER['HTTP_ACCEPT']    = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
 
     public function testReadWithXhtmlNegotiation()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
         $_SERVER['HTTP_ACCEPT']    = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
 
     public function testApiReadWithNegotiation()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
         $_SERVER['HTTP_ACCEPT']    = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
 
     public function testReadWithFailedNegotiation()
     {
         $this->reset();
+        $id                        = $this->getRandomId();
         $_SERVER['REQUEST_METHOD'] = 'GET';
         $_SERVER['HTTP_ACCEPT']    = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8';
-        $_SERVER['QUERY_STRING']   = 'foo';
+        $_SERVER['QUERY_STRING']   = $id;
+        $_GET[$id]                 = '';
         $request                   = new Request;
         $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
-        $this->assertEquals('foo', $request->getParam('pasteid'));
+        $this->assertEquals($id, $request->getParam('pasteid'));
         $this->assertEquals('read', $request->getOperation());
     }
+
+    public function testPasteIdExtraction()
+    {
+        $this->reset();
+        $id              = $this->getRandomId();
+        $queryParams     = array($id);
+        $queryParamCount = random_int(1, 5);
+        for ($i = 0; $i < $queryParamCount; ++$i) {
+            array_push($queryParams, $this->getRandomQueryChars());
+        }
+        shuffle($queryParams);
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        $_SERVER['QUERY_STRING']   = implode('&', $queryParams);
+        $_GET[$id]                 = '';
+        $request                   = new Request;
+        $this->assertEquals($id, $request->getParam('pasteid'));
+    }
 }