Information exposure through query strings in url - Revision history

Robert Gilbert: Updated "References" and "Related Attacks"

2018-10-17T13:33:37Z

Updated "References" and "Related Attacks"

Robert Gilbert: Updated description and proposed Risk Factors

2017-05-03T17:36:20Z

Updated description and proposed Risk Factors

Robert Gilbert: Robert Gilbert moved page Information exposure through query strings in get request to Information exposure through query strings in url: The HTTP method is irrelevant. It will be exposed using GET, POST, etc. Proposed edit to CWE as well.

2017-05-03T17:26:05Z

Robert Gilbert moved page Information exposure through query strings in get request to Information exposure through query strings in url: The HTTP method is irrelevant. It will be exposed using GET, POST, etc. Proposed edit to CWE as well.

Robert Gilbert: Removed "Related Attacks" as it's open for debate.

2017-04-06T20:30:55Z

Removed "Related Attacks" as it's open for debate.

Robert Gilbert: Created page with "{{stub}} {{Template:Vulnerability}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Information exposure through query st..."

2017-04-06T20:28:16Z

Created page with "{{stub}} {{Template:Vulnerability}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Information exposure through query st..."

New page

{{stub}}

{{Template:Vulnerability}}
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Information exposure through query strings in GET request is when sensitive data is passed to parameters in the URL.
This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data.
Simply using HTTPS does not resolve this vulnerability.

==Risk Factors==

TBD

==Examples==
Regardless of using encryption, the following URL will expose information in the locations detailed below:
https://vulnerablehost.com/authuser?user=bob&authz_token=1234&expire=1500000000

The parameter values for 'user', 'authz_token', and 'expire' will be exposed in the following locations when using HTTP or HTTPS:
* Referer Header
* Web Logs
* Shared Systems
* Browser History
* Browser Cache
* Shoulder Surfing
* TBD

When not using an encrypted channel, all of the above and the following:
* Man-in-the-Middle
* TBD

=== Exposure Proof-of-Concept===
The following figure displays how an internal attacker can potentially exploit this vulnerability as the request above is captured in the server logs even when requested via an encrypted channel:
https://vulnerablehost.com/information-exposure-log.png

==Related [[Attacks]]==

* [[Session Hijacking]]

==Related [[Vulnerabilities]]==

TBD

==Related [[Controls]]==

TBD

==Related [[Technical Impacts]]==

TBD

==References==

* [https://cwe.mitre.org/data/definitions/598.html CWE-598: Information Exposure Through Query Strings in GET Request]
* [https://tools.ietf.org/html/rfc6819#section-4.4.1 4.4.1.1. Threat: Eavesdropping or Leaking Authorization "codes"]
* [https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OTG-SESS-004) Testing for Exposed Session Variables (OTG-SESS-004)]
* [https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure]
* [https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod Passwords Submitted Using GET Method]

[[Category:Cryptographic Vulnerability]]
[[Category:Sensitive Data Protection Vulnerability]]

__NOTOC__

@@ Line 43: / Line 43: @@
 ==Related [[Attacks]]==
 TBD
@@ Line 61: / Line 63: @@
 ==References==
 * [https://cwe.mitre.org/data/definitions/598.html CWE-598: Information Exposure Through Query Strings in GET Request]
 * [https://tools.ietf.org/html/rfc6819#section-4.4.1 4.4.1.1.  Threat: Eavesdropping or Leaking Authorization "codes"]
 * [https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod Passwords Submitted Using GET Method]

@@ Line 6: / Line 6: @@
 ==Description==
-Information exposure through query strings in GET request is when sensitive data is passed to parameters in the URL.
+Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL.
 This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data.
 Simply using HTTPS does not resolve this vulnerability.
@@ Line 13: / Line 13: @@
 ==Risk Factors==
-TBD
+Threat Agents: App Specific

← Older revision	Revision as of 17:26, 3 May 2017
(No difference)

@@ Line 38: / Line 38: @@
 ==Related [[Attacks]]==
+TBD
 ==Related [[Vulnerabilities]]==
@@ Line 62: / Line 61: @@
 * [https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure]
 * [https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod Passwords Submitted Using GET Method]
 [[Category:Cryptographic Vulnerability]]