0

I am trying to fix the issues in IBM AppScan results and I\m getting the flag:

AppScan identified a password parameter that was received in the query string

with this command showing in the screen

GET /myapp.com/?username=user&password=**CONFIDENTIAL 1** HTTP/1.1

and I’m 100% sure that I'm not sending critical information in query params or even get requests I was thinking the about that the app is sending the request it self and want's me to block it.

Am I right or I'm missing something here?

Ibrahim Rahhal
  • 323
  • 2
  • 9
  • Most likely during your scan, during the login process, AppScan intercepted this request. If you want to validate this put the browser in development and login to your application. Have a look at the requests that are passing through and see if you can spot this one. Let me know the outcome and we can go from there. – sir_k Oct 13 '20 at 09:15

1 Answers1

0

It's quite common for application vulnerability scanners to misinterpret login forms that use JavaScript to make login requests. I am guessing the HTML form does not explicitly declare the request method as POST. Assuming when a user actually makes a request with a browser, a POST request is made, it's safe to assume that AppScan is generating this request itself.

One more issue to consider, if you make the request to https://myapp.com/?username=user&password=password@123, does that return a session token? This is often considered a vulnerability as well if the server does not reject all GET requests even if a user crafts it manually.

ebuntu
  • 151
  • 1
  • 8