diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-20 10:00:54 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-20 10:00:54 +0000 |
commit | 3cccd102ba543e02725d247893729e5c73b38295 (patch) | |
tree | f36a04ec38517f5deaaacb5acc7d949688d1e187 /doc/user/application_security/dast/checks/598.2.md | |
parent | 205943281328046ef7b4528031b90fbda70c75ac (diff) | |
download | gitlab-ce-3cccd102ba543e02725d247893729e5c73b38295.tar.gz |
Add latest changes from gitlab-org/gitlab@14-10-stable-eev14.10.0-rc42
Diffstat (limited to 'doc/user/application_security/dast/checks/598.2.md')
-rw-r--r-- | doc/user/application_security/dast/checks/598.2.md | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/598.2.md b/doc/user/application_security/dast/checks/598.2.md new file mode 100644 index 00000000000..f6c6787128d --- /dev/null +++ b/doc/user/application_security/dast/checks/598.2.md @@ -0,0 +1,30 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Use of GET request method with sensitive query strings (password) + +## Description + +The user's password was identified in the request URL. Passwords should never be sent in GET +requests as they maybe captured by proxy systems, stored in browser history, or stored in +log files. If an attacker were to get access to these logs or logging systems, they would +be able to gain access to the target account. + +## Remediation + +Passwords should never be sent in GET requests. When authenticating users or requesting users +reset their passwords, always use POST requests to transmit sensitive data. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 598.2 | true | 598 | Passive | Medium | + +## Links + +- [OWASP](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url) +- [CWE](https://cwe.mitre.org/data/definitions/598.html) |