Synopsis
An application was found that may use CGI parameters to control sensitive information.
Description
According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices, credit card data, etc.). In the course of using an application, these variables may disclose sensitive data or be prone to tampering that could result in privilege escalation. These parameters should be examined to determine what type of data is controlled and if it poses a security risk.
** This plugin only reports information that may be useful for auditors
** or pen-testers, not a real flaw.
Solution
Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.
Plugin Details
File Name: webapp_sensitive_cgi_parameters.nasl
Supported Sensors: Nessus
Vulnerability Information
Required KB Items: Settings/enable_web_app_tests