This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Information exposure through query strings in url"
(Updated description and proposed Risk Factors) |
(Updated "References" and "Related Attacks") |
||
| Line 43: | Line 43: | ||
==Related [[Attacks]]== | ==Related [[Attacks]]== | ||
| + | |||
| + | * [https://www.owasp.org/index.php/Forced_browsing Forced browsing] | ||
TBD | TBD | ||
| Line 61: | Line 63: | ||
==References== | ==References== | ||
| + | * [https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OTG-SESS-004) Testing for Exposed Session Variables (OTG-SESS-004)] | ||
| + | * [https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure Top 10-2017 A3-Sensitive Data Exposure] | ||
| + | * [https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure] | ||
* [https://cwe.mitre.org/data/definitions/598.html CWE-598: Information Exposure Through Query Strings in GET Request] | * [https://cwe.mitre.org/data/definitions/598.html CWE-598: Information Exposure Through Query Strings in GET Request] | ||
* [https://tools.ietf.org/html/rfc6819#section-4.4.1 4.4.1.1. Threat: Eavesdropping or Leaking Authorization "codes"] | * [https://tools.ietf.org/html/rfc6819#section-4.4.1 4.4.1.1. Threat: Eavesdropping or Leaking Authorization "codes"] | ||
| − | |||
| − | |||
* [https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod Passwords Submitted Using GET Method] | * [https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod Passwords Submitted Using GET Method] | ||
Latest revision as of 13:33, 17 October 2018
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 10/17/2018
Description
Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL. This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data. Simply using HTTPS does not resolve this vulnerability.
Risk Factors
Threat Agents: App Specific Attack Vectors: Average Security Weakness (prevalence): Common Security Weakness (detectability): Difficult Technical Impacts: Moderate Business Impacts: App Specific
Examples
Regardless of using encryption, the following URL will expose information in the locations detailed below: https://vulnerablehost.com/authuser?user=bob&authz_token=1234&expire=1500000000
The parameter values for 'user', 'authz_token', and 'expire' will be exposed in the following locations when using HTTP or HTTPS:
- Referer Header
- Web Logs
- Shared Systems
- Browser History
- Browser Cache
- Shoulder Surfing
- TBD
When not using an encrypted channel, all of the above and the following:
- Man-in-the-Middle
- TBD
Exposure Proof-of-Concept
The following figure displays how an internal attacker can potentially exploit this vulnerability as the request above is captured in the server logs even when requested via an encrypted channel:
Related Attacks
TBD
Related Vulnerabilities
TBD
Related Controls
TBD
Related Technical Impacts
TBD
