Information Exposure Through Query Strings in GET RequestID: 598 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The web application uses the GET method to process requests
that contain sensitive information, which can expose that information through
the browser's history, Referers, web logs, and other
sources.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | At a minimum, attackers can garner information from query strings that
can be utilized in escalating their method of attack, such as
information about the internal workings of the application or database
column names. Successful exploitation of query string parameter
vulnerabilities could lead to an attacker impersonating a legitimate
user, obtaining proprietary data, or simply executing actions not
intended by the application developers. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | When sensitive information is sent, use of the POST method is
recommended (e.g. registration form). | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-598 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None