The application passes sensitive parameters in the URL line of many of the requests.

BUSINESS IMPACT: Sensitive data could be disclosed unintentionally through transmission in the URL.

Description

The application uses the URL to pass sensitive data from the client to the server. Data passed in the URL can be exposed because data passed in this manner ends up in unintended locations. These locations can include server logs, local browser history, and proxy logs.

Reproduction Steps

1. Using Burp Suite, navigate through the application.
2. The application passes sensitive parameters in the URL line of many of the requests 

Affected Locations

• HUB v4.7 and Interact 4.7
• Decipher v2.3

Recommendation

• When sensitive data is sent, it should be ensured that POST requests are used instead of GET requests. POST data is not treated the same way as URL data is when requests are sent through systems and do not typically get cached or logged.
• If there are technical constraints that require data to be sent in the URL then strong encryption should be used to encrypt values. It should be ensured that part of this encryption scheme contains protection against data replay so that captured cryptographic values cannot be replayed back to the server. 

References

• Information exposure through query strings in url | OWASP Foundation
• A02 Cryptographic Failures - OWASP Top 10:2021