Sensitive Data Sent in GET Request

Introduction

Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL. This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data. Simply using HTTPS does not resolve this vulnerability.

How to Test

Here the sensitive details such as name, token and expiry details are passed in the URL.

https://vulnerablehost.com/authuser?user=bob&authz_token=1234&expire=1500000000

The parameter values for user , authz_token , and expire will be exposed in the following locations when using HTTP or HTTPS:

• Referer Header

• Web Logs

• Shared Systems

• Browser History

• Browser Cache

• Shoulder Surfing

Solution

When sensitive information is sent, use the POST method instead of GET request.

Here the ‘id’ parameter sent through the GET request

<a href="xyz?id=4"> click </a>

To convert GET to POST, simply change the link to a form

<form id="myForm" action="xyz" method="post">
<input type"hidden" name="id" value="4"/>
</form>

This form will not be visible and we can easily auto-submit it using JavaScript in our link

<a href="javascript:void document.getElementById('myForm').submit();"> click </a>

And most importantly both GET and POST are equally not secure over HTTP. To secure them, use HTTPS.

References

1. https://cwe.mitre.org/data/definitions/598.html

2. https://community.apigee.com/questions/41891/what-are-alternatives-for-passing-sensitive-data-i.html

3. https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url