CWE-598: Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.
Mitigation Strategies
Phase
Description
When sensitive information is sent, use the POST method (e.g. registration form).
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (1)
CWE Relationships
Frequently Asked Questions
What is CWE-598: Use of GET Request Method With Sensitive Query Strings?+
CWE-598: Use of GET Request Method With Sensitive Query Strings is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
What are the security consequences of Use of GET Request Method With Sensitive Query Strings?+
If exploited, CWE-598 (Use of GET Request Method With Sensitive Query Strings) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
How do you prevent or mitigate Use of GET Request Method With Sensitive Query Strings?+
Recommended mitigations for CWE-598 include: When sensitive information is sent, use the POST method (e.g. registration form).
What are real-world examples of Use of GET Request Method With Sensitive Query Strings?+
MITRE documents real CVEs mapped to CWE-598, including CVE-2022-23546. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-598 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.