Password Submitted Using GET Method

medium Web App Scanning Plugin ID 98146

Language:

Synopsis

Password Submitted Using GET Method

Description

The scanner was able to detect that the application uses the HTTP GET method to transmit a password, the information of a URL can be stored in various places (web server, proxy, ...) and can be transmitted to a third party via the Referer header which also increases the chances of interception by an attacker.

Solution

For password submission and in general any form that transmits sensitive information, it is necessary to use the HTTP POST method.

See Also

https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

Plugin Details

Severity: Medium

ID: 98146

Type: remote

Family: Web Applications

Published: 2/8/2023

Updated: 9/6/2024

Scan Template: basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 598

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A4

WASC: Insufficient Transport Layer Protection

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2023-API3

OWASP ASVS: 4.0.2-3.1.1

PCI-DSS: 3.2-6.5.4