Weakness reference
CWE-598

Use of GET Request Method With Sensitive Query Strings

This weakness occurs when a web application transmits sensitive data passwords, tokens, personal information as part of a GET request's query string. Because…

01Summary

This weakness occurs when a web application transmits sensitive data (passwords, tokens, personal information) as part of a GET request's query string. Because GET parameters are visible in browser history, server logs, proxy caches, and referrer headers, this data can be exposed to unintended parties. Sensitive operations should always use POST with encrypted transport (HTTPS).

02How It Happens

GET requests are designed for retrieving data, not modifying state or handling secrets. The query string is part of the URL itself, which means it is stored in multiple places by default: the browser's history, web server access logs, HTTP proxies, and any intermediate systems that cache or monitor traffic. When developers use GET to submit login credentials, API keys, session tokens, or personal identifiers, they inadvertently create multiple copies of that sensitive data in locations they may not control or even be aware of. This is especially dangerous in shared environments (libraries, offices, public WiFi) where other users can access the same machine or network.

03Real-World Impact

An attacker with access to a shared computer can retrieve credentials from browser history. Server administrators or log aggregation systems may expose query strings in plainly readable logs. Network proxies or ISPs can see the full URL. Even if HTTPS is used, the query string is encrypted in transit but still logged in plaintext on the server side. This can lead to account compromise, unauthorized API access, or exposure of personally identifiable information (PII) to third parties.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from urllib.parse import urlencode
import requests

# Vulnerable: sensitive data in query string
user_input = request.args.get('password')
api_key = request.args.get('api_key')

url = f"https://api.example.com/authenticate?{urlencode({'password': user_input, 'api_key': api_key})}"
response = requests.get(url)

Why it's vulnerable:
The password and API key are embedded in the URL query string, where they will be logged by servers, proxies, and stored in browser history.

Fixed pattern
import requests

# Fixed: sensitive data in POST body
user_input = request.form.get('password')
api_key = request.form.get('api_key')

url = "https://api.example.com/authenticate"
response = requests.post(url, json={'password': user_input, 'api_key': api_key})
Vulnerable pattern
<?php
// Vulnerable: sensitive data in query string
$password = $_GET['password'];
$token = $_GET['token'];

$url = "https://api.example.com/login?password=" . urlencode($password) . "&token=" . urlencode($token);
$response = file_get_contents($url);
?>

Why it's vulnerable:
GET parameters are visible in the URL, logged by web servers, and stored in browser history and referrer headers.

Fixed pattern
<?php
// Fixed: sensitive data in POST body
$password = $_POST['password'];
$token = $_POST['token'];

$url = "https://api.example.com/login";
$options = [
    'http' => [
        'method' => 'POST',
        'header' => 'Content-Type: application/json',
        'content' => json_encode(['password' => $password, 'token' => $token])
    ]
];
$context = stream_context_create($options);
$response = file_get_contents($url, false, $context);
?>

05Prevention Checklist

Use POST (or PUT/PATCH) for any request that transmits passwords, tokens, API keys, or personally identifiable information.
Enforce HTTPS for all authentication and sensitive data transmission; never send credentials over HTTP.
Configure web server logging to exclude or redact query strings, or log them separately with restricted access.
Audit forms and API endpoints to ensure sensitive fields use method="post" and are never passed as URL parameters.
Educate developers that GET is for safe, idempotent retrieval only; state-changing or secret-bearing requests must use POST.
Use security headers like Referrer-Policy: no-referrer to prevent sensitive query strings from leaking via referrer headers to third-party sites.

06Signs You May Already Be Affected

Review your web server access logs for patterns of sensitive data (passwords, tokens, email addresses) appearing in query strings. Check browser history on shared machines for URLs containing authentication parameters. If you find such entries, assume the data has been exposed and force password resets or token revocation immediately.

07Related Recent Vulnerabilities