CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-598: Information Exposure Through Query Strings in GET Request

 
Information Exposure Through Query Strings in GET Request
Weakness ID: 598 (Weakness Variant)Status: Draft
+ Description

Description Summary

The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect

Technical Impact: Read application data

At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.

+ Potential Mitigations

Phase: Implementation

When sensitive information is sent, use of the POST method is recommended (e.g. registration form).

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Other_Notes
2009-03-10MITREInternal
updated Relationships
2011-03-29MITREInternal
updated Name
2011-06-01MITREInternal
updated Common_Consequences, Other_Notes
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Information Leak Through GET Request
2011-03-29Information Leak Through Query Strings in GET Request
Page Last Updated: June 23, 2014