CWE - CWE-598: Information Leak Through Query Strings in GET Request (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-598: Information Leak Through Query Strings in GET Request

Information Leak Through Query Strings in GET Request

Weakness ID: 598 (Weakness Variant)

Status: Draft

Description

Description Summary

The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.

Time of Introduction

Architecture and Design
Implementation

Potential Mitigations

Phase	Description
	When sensitive information is sent, use of the POST method is recommended (e.g. registration form).

Other Notes

At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	200	Information Leak (Information Disclosure)	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	729	OWASP Top Ten 2004 Category A8 - Insecure Storage	Weaknesses in OWASP Top Ten (2004) (primary)711

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Potential Mitigations, Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other Notes
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Relationships

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us