Bug #92: [Security Audit ] 27 -Sensitive Data Passed Through URL Parameters - E-Arogya - Redmine

Actions

Copy link

Bug #92

closed

Feature #65: Security Audit

[Security Audit ] 27 -Sensitive Data Passed Through URL Parameters

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:

Closed

Priority:

Low

Assignee:

Pavan kumar Siddamsetti

Category:

Target version:

Security Audit

Start date:

17/04/2024

Due date:

% Done:

Estimated time:

Deployed In:

Category:

Description

27- Sensitive Data Passed Through URL Parameters
CWE : CWE-598
Description :
The web application uses the HTTP GET method to process a request and includes
sensitive information in the query string of that request.
Affected Path(s) :
https://his-healthidservice.satragroup.in/abdm/isAvailable/customHealthId/srinuks.1 *-Applicable to entire
application
Impact :
This allows attackers to obtain sensitive data such as usernames, passwords, tokens
(authX), database details, and any other potentially sensitive data. Simply using HTTPS
does not resolve this vulnerability.
Recommendation :
When sensitive information is sent, use the POST method (e.g. registration form, login
form, etc.).
Evidence/Proof Of Concept :
Step 1: ABHA Username Passed Through URL as shown in below screenshot.

Files

clipboard-202404171610-2mfsz.png (40.2 KB) clipboard-202404171610-2mfsz.png

Kalyan Battula, 17/04/2024 04:10 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

E-Arogya

Custom queries

Bug #92

[Security Audit ] 27 -Sensitive Data Passed Through URL Parameters

Updated by Pavan kumar Siddamsetti about 1 year ago

Updated by Pavan kumar Siddamsetti 12 months ago

Updated by Vasudev Mamidi 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Gautam Kumar 7 months ago