The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

What CVEs are caused by CWE-598?

74 recorded CVEs are attributed to CWE-598, including CVE-2023-6014, CVE-2021-36328, CVE-2020-5331.

How do you prevent CWE-598?

When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

How is CWE-598 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-598?

Exploiting CWE-598 can lead to: Read Application Data.

Is CWE-598 actively exploited?

74 recorded CVEs are caused by CWE-598; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-598: Use of HTTP Request With Sensitive Query String

While a query string is frequently used for GET methods, sometimes it is included with other methods such as POST, DELETE, and PUT. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources.

CWE-598: Use of HTTP Request With Sensitive Query String

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-598?

What CVEs are caused by CWE-598?

How do you prevent CWE-598?

How is CWE-598 detected?

What are the consequences of CWE-598?

Is CWE-598 actively exploited?

References

Stay ahead of CWE-598

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-598?

What CVEs are caused by CWE-598?

How do you prevent CWE-598?

How is CWE-598 detected?

What are the consequences of CWE-598?

Is CWE-598 actively exploited?

References

Stay ahead of CWE-598