Get a quote

Vulnerability Fixation
Data Sent In Plain Text In URL

Book a Free Consultation

Data Sent In Plain Text In URL

Vulnerability:

What are query parameters?

If a URI has a variable and its corresponding value getting communicated in an HTTP request to the server, the developer has implemented query parameters for sending data to the server.

Query parameters can use either the GET HTTP method or the POST HTTP method (but mainly GET is used).

Example:
https://www.mysite.com/getsecret?username=cella&password=messi

If a man-in-the-middle attack is successful (intercepting the connection and presenting a forged server certificate which the browser accepts),
it could lead to attacks like:

  • Data stealing
  • Data manipulation
  • Request forgery

Parameter values are also visible in the browser’s URL bar to other users.

In financial or banking web applications, transaction-id and amounts are often sent using query parameters.

Example::
https://www.mysite.com/getsecret?order-id=144121&amt=1400&acct=2188974568

Solution:
  • Avoid using query parameters for communicating critical sensitive data.
  • Implement strong SSL/TLS encryption for communication on all URLs.
  • Store encryption keys securely.

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More