GET URL parameter can be disclosed in a variety of ways:
- Directly in a web browser address bar.
- In navigation history.
- In web servers or intermediate proxies log files.
What is the potential impact?
Attackers with access to any of those disclosure locations will be able to see and steal a victim’s session token. They can then use it to log in
as the user, impersonate their account, and take advantage of their privileges.
Such an attack can be more or less severe depending on the victim’s privileges. Common security impacts range from data theft to application
takeover.
Data theft
Attackers with access to a compromised account will be able to disclose any information stored on it. This includes the Personally Identifiable
Information (PII) of the user.
The confidentiality of PII is a requirement from national security regulatory authorities in most countries. Insufficiently protecting this data
could have legal consequences and lead to fines or other prosecutions.
Application takeover
Attackers compromise the account of a high-privileged user could modify internal web application logic, disrupt workflows, or change other
application’s settings in a way that will give them full control over it.
Such an attack would lead to reputational damages and financial and legal consequences.
