CWE-598: Information Exposure Through Query Strings in GET Request
Information Exposure Through Query Strings in GET Request
Weakness ID: 598 (Weakness Variant)
The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.
Time of Introduction
Architecture and Design
Technical Impact: Read application data
At a minimum, attackers can garner information from query strings that
can be utilized in escalating their method of attack, such as
information about the internal workings of the application or database
column names. Successful exploitation of query string parameter
vulnerabilities could lead to an attacker impersonating a legitimate
user, obtaining proprietary data, or simply executing actions not
intended by the application developers.
When sensitive information is sent, use of the POST method is
recommended (e.g. registration form).