Objective-C : Information leak via GET request

Classification

OWASP Mobile Top 10 2014 M4-Unintended Data Leakage OWASP Mobile Top 10 2016 M2-Insecure Data Storage PCI DSS 4.0 6.2.4 HIPAA §164.312 (e)(1) CWE CWE-598

Overview

The application uses a GET-request instead of a POST-request to transfer data to the server.

Using a GET-request means that the URL and the request parameters may be stored in the browser cache, the server cache, and the cache of intermediate proxy servers. This may lead to the data leak. An attacker can obtain information about the structure of the request and draw conclusions about the architecture of the application, the names of the database tables, and use this information for the attack.

References

  1. CWE-598: Information Exposure Through Query Strings in GET Request
  2. HTTP Methods: GET vs. POST - w3schools.com
  3. The Definitive Guide to GET vs POST - teamtreehouse.com
  4. OWASP Mobile Top 10 2016-M2-Insecure Data Storage