CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-598: Information Leak Through Query Strings in GET Request

Individual Definition in a New Window
Information Leak Through Query Strings in GET Request
Status: Draft
Weakness ID: 598 (Weakness Variant)
Description
Summary

The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.

Potential Mitigations

When sensitive information is sent, use of the POST method is recommended (e.g. registration form).

Other Notes

At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class200Information Leak (Information Disclosure)
Development Concepts (primary)699
Research Concepts (primary)1000
Time of Introduction
* Architecture and Design
* Implementation
Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Potential_Mitigations, Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes
Previous Entry Names
* Information Leak Through GET Request (changed 2008-04-11)
Page Last Updated: November 24, 2008