CWE - CWE-598: Use of GET Request Method With Sensitive Query Strings (4.9)

Weakness ID: 598

抽象：Variant
Structure:Simple

View customized information:

Description

Web应用程序使用HTTP GET方法处理请求，并在该请求的查询字符串中包含敏感信息。

Extended Description

The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.

关系

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (CWE-1000)

Nature	Type	ID	Name
ChildOf	根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	201	Insertion of Sensitive Information Into Sent Data

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Architecture and Design
Implementation

Common Consequences

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

范围	Impact	Likelihood
保密	Technical Impact:Read Application Data 至少，攻击者可以从查询字符串中获取信息，这些信息可用于升级其攻击方法，例如有关应用程序内部工作或数据库列名称的信息。成功利用查询字符串参数漏洞可能会导致攻击者冒充合法用户，获取专有数据，或者简单地执行应用程序开发人员未打算的操作。

Potential Mitigations

Phase: Implementation

发送敏感信息时，请使用POST方法（例如注册表格）。

Memberships

此成员关系表显示了其他CWE类别和视图，将此弱点称为成员。该信息通常可用于理解弱点适合外部信息源的何处。

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	729	OWASP Top Ten 2004 Category A8 - Insecure Storage
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	963	SFP Secondary Cluster: Exposed Data
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1348	OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Taxonomy Mappings

Mapped Taxonomy Name	节点ID	合身	映射的节点名称
Software Fault Patterns	SFP23		Exposed Data

Content History

Submissions
Submission Date	提交者	Organization
2006-12-15	CWE Community
2006-12-15	Submitted by members of the CWE community to extend early CWE versions
Modifications
Modification Date	修饰符	Organization
2008-07-01	Eric Dalci	雪茄
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE内容团队	MITRE
2008-09-08	updated Relationships, Other_Notes
2009-03-10	CWE内容团队	MITRE
2009-03-10	updated Relationships
2011-03-29	CWE内容团队	MITRE
2011-03-29	updated Name
2011-06-01	CWE内容团队	MITRE
2011-06-01	更新的common_cconsquences，other_notes
2012-05-11	CWE内容团队	MITRE
2012-05-11	updated Relationships
2012-10-30	CWE内容团队	MITRE
2012-10-30	updated Potential_Mitigations
2014-07-30	CWE内容团队	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2020-02-24	CWE内容团队	MITRE
2020-02-24	updated Description, Name, Potential_Mitigations, Relationships
2021-07-20	CWE内容团队	MITRE
2021-07-20	updated Description
2021-10-28	CWE内容团队	MITRE
2021-10-28	updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Information Leak Through GET Request

2011-03-29	Information Leak Through Query Strings in GET Request

2020-02-24	Information Exposure Through Query Strings in GET Request

Common Weakness Enumeration

CWE-598：使用敏感查询字符串的GET请求方法


	Site Map\|Terms of Use\|Privacy Policy\|联系我们\| Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to theTerms of Use. CWE is sponsored by theU.S. Department of Homeland Security(DHS)网络安全和基础设施安全局(CISA) and managed by the国土安全系统工程和开发研究所（HSSEDI）由manbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.