Bug #92
closedFeature #65: Security Audit
[Security Audit ] 27 -Sensitive Data Passed Through URL Parameters
0%
Description
27- Sensitive Data Passed Through URL Parameters
CWE : CWE-598
Description :
The web application uses the HTTP GET method to process a request and includes
sensitive information in the query string of that request.
Affected Path(s) :
https://his-healthidservice.satragroup.in/abdm/isAvailable/customHealthId/srinuks.1 *-Applicable to entire
application
Impact :
This allows attackers to obtain sensitive data such as usernames, passwords, tokens
(authX), database details, and any other potentially sensitive data. Simply using HTTPS
does not resolve this vulnerability.
Recommendation :
When sensitive information is sent, use the POST method (e.g. registration form, login
form, etc.).
Evidence/Proof Of Concept :
Step 1: ABHA Username Passed Through URL as shown in below screenshot.
Files
Updated by Pavan kumar Siddamsetti about 1 year ago
- Assignee set to Pavan kumar Siddamsetti
Updated by Pavan kumar Siddamsetti 12 months ago
- Status changed from New to In Progress
Updated by Vasudev Mamidi 12 months ago
- Status changed from In Progress to Resolved