SYM_CONF_0032 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of GET Request Method With Sensitive Query Strings
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-598: Use of GET Request Method With Sensitive Query Strings |
| OWASP | A04:2021 Insecure Design |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The API key is being sent in the URL as a query parameter, which exposes it in browser history, server logs, and network monitoring tools. API keys should be transmitted in HTTP headers or the request body to keep them confidential.
Impact
If an attacker gains access to server logs, browser history, or intercepts network traffic, they could steal the API key and use it to access or manipulate protected resources, potentially leading to data breaches, unauthorized operations, or service abuse.