[Forgot Password]
Login  Register Subscribe

23631

 
 

126941

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Information Exposure Through Query Strings in GET Request

ID: 598Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 When sensitive information is sent, use of the POST method is recommended (e.g. registration form).
 
  

Relationships

Related CWETypeViewChain
CWE-598 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© 2013 SecPod Technologies