CWE-598 - Use of GET Request Method With Sensitive Query Strings

Description: The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.

Common Consequences: Scope: Confidentiality
Impact: Read Application Data
Notes: At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.

Related Weaknesses: CWE-201Insertion of Sensitive Information Into Sent Data

Free security scan for your website

Don't show website scan report rating on the leaderboard

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.