Home / Vulnerability Database / PHP : Information leak via GET request
PHP
PHP : Information leak via GET request
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP ASVS
PCI DSS 4.0
HIPAA
CWE/SANS Top 25 2021
Overview
The application uses a GET-request instead of a POST-request to transfer data to the server.
Using a GET-request means that the URL and the request parameters may be stored in the browser cache, the server cache, and the cache of intermediate proxy servers. This may lead to the data leak. An attacker can obtain information about the structure of the request and draw conclusions about the architecture of the application, the names of the database tables, and use this information for the attack.
References
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2017-A6-Security Misconfiguration
- OWASP Top 10 2013-A5-Security Misconfiguration
- CWE-598: Information Exposure Through Query Strings in GET Request
- HTTP Methods: GET vs. POST - w3schools.com
- The Definitive Guide to GET vs POST - teamtreehouse.com
- Is there a difference between GET and POST for web application security? - security.stackexchange.com
- CWE-497
- CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
MEDIUM
DerScanner Severity Score
Do you want to fix PHP : Information leak via GET request in your application?
See also
PHP
PHP : Null salt
PHP
PHP : Empty password
PHP