{"@ID": "598", "@Name": "Use of HTTP Request With Sensitive Query String", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-598-Diagram.png", "Description": "The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "201", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Web Based", "@Prevalence": "Often"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Background_Details": {"Background_Detail": "While a query string is frequently used\n\t   for GET methods, sometimes it is included with other\n\t   methods such as POST, DELETE, and PUT.  The query string\n\t   for the URL could be saved in the browser's history, passed\n\t   through Referers to other web sites, stored in web logs, or\n\t   otherwise recorded in other sources."}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Application Data", "Note": {"xhtml:p": ["At a minimum, attackers can garner information from\n\t\t   query strings that can be utilized in escalating\n\t\t   their method of attack, such as information about\n\t\t   the internal workings of the application or\n\t\t   database column names.  Successful exploitation of\n\t\t   query string parameter vulnerabilities could lead\n\t\t   to an attacker impersonating a legitimate user,\n\t\t   obtaining proprietary data, or simply executing\n\t\t   actions not intended by the application developers.", "Examples of sensitive information may include\n\t\t   secrets such as session identifiers, passwords,\n\t\t   access tokens, or API keys; Personally Identifiable\n\t\t   Information (PII) such as email addresses or phone\n\t\t   numbers; records or logs of private activities;\n\t\t   communications that are expected to be private;\n\t\t   etc.  Successful exploitation of query string\n\t\t   parameter vulnerabilities could lead to an attacker\n\t\t   impersonating a legitimate user, obtaining\n\t\t   proprietary data, or simply executing actions not\n\t\t   intended by the application developers."]}}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "When sending sensitive information, only\n               include it in the request body or request headers\n               instead of the query string. This may require avoiding\n               use of GET requests."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2025-1738", "Description": "Security camera includes a password in its query string", "Link": "https://www.cve.org/CVERecord?id=CVE-2025-1738"}, {"Reference": "CVE-2025-31954", "Description": "ML/NLP-based automation product calls a GET method with sensitive information in the query string.", "Link": "https://www.cve.org/CVERecord?id=CVE-2025-31954"}, {"Reference": "CVE-2024-31842", "Description": "Web-based communication product includes an access token in the query string of a GET request", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-31842"}, {"Reference": "CVE-2022-23546", "Description": "A discussion platform leaks private information in GET requests.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-23546"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP23", "Entry_Name": "Exposed Data"}}, "References": {"Reference": {"@External_Reference_ID": "REF-1512"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Community", "Submission_Date": "2006-12-15", "Submission_Version": "Draft 5", "Submission_ReleaseDate": "2006-12-15", "Submission_Comment": "Submitted by members of the CWE community to extend early CWE versions"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Description, Name, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Description, Diagram, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Background_Details, Common_Consequences, Other_Notes, References, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Background_Details, Description, Name, Observed_Examples, Potential_Mitigations"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "Michal Biesiada", "Contribution_Date": "2025-10-05", "Contribution_Version": "4.19", "Contribution_ReleaseDate": "2025-12-11", "Contribution_Comment": "Suggested OWASP reference and clarifying sensitive information details, ultimately leading to an addition to the CWE glossary."}, {"@Type": "Feedback", "Contribution_Name": "Jason Stangroome", "Contribution_Date": "2025-12-27", "Contribution_Version": "4.20", "Contribution_ReleaseDate": "2026-04-30", "Contribution_Comment": "Suggested changes to remove emphasis on GET methods, which included a name change."}], "Previous_Entry_Name": [{"@Date": "2008-04-11", "#text": "Information Leak Through GET Request"}, {"@Date": "2011-03-29", "#text": "Information Leak Through Query Strings in GET Request"}, {"@Date": "2020-02-24", "#text": "Information Exposure Through Query Strings in GET Request"}, {"@Date": "2026-04-30", "#text": "Use of GET Request Method With Sensitive Query Strings"}]}}
