Web Application Potentially Sensitive CGI Parameter Detection

Info Nessus Plugin ID 40773

Synopsis

An application was found that may use CGI parameters to control sensitive information.

Description

According to their names, some CGI parameters may control sensitive data (e.g., ID, privileges, commands, prices, credit card data, etc.). In the course of using an application, these variables may disclose sensitive data or be prone to tampering that could result in privilege escalation. These parameters should be examined to determine what type of data is controlled and if it poses a security risk.

** This plugin only reports information that may be useful for auditors
** or pen-testers, not a real flaw.

Solution

Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.

Plugin Details

Severity: Info

ID: 40773

File Name: webapp_sensitive_cgi_parameters.nasl

Version: Revision: 1.10

Type: remote

Family: CGI abuses

Published: 2009/08/25

Updated: 2012/08/17

Dependencies: 10107, 67257

Risk Information

Risk Factor: Info

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests