Leakage of sensitive data in HTTP GET parameters

• Rule ID: ruby_lang_http_get_params
• Languages: ruby
• Source: http_get_params.yml

Description

Sensitive data should never be sent as part of the query string in HTTP GET requests. This is bad practice that can expose sensitive information since query strings can be cached or logged in server logs, and can be seen in browser history, making them vulnerable to unauthorized access.

Remediations

• Do not send sensitive data through HTTP GET parameters. This method exposes information in plain text, even when using HTTPS.

  HTTParty.get(
    'https://secure-api.com/user',
    {
      email: user.email # unsafe
    }
  )

• Do use the HTTP POST method to send sensitive data securely. POST requests do not expose data in the URL.

  HTTParty.post(
    'https://secure-api.com/user',
    body: {
      email: user.email,
    }
  )

• Do use identifiers that do not expose personal or sensitive information, for cases where a GET request is required

  HTTParty.get(
    'https://secure-api.com/user',
    {
      id: user.uuid
    }
  )

References

• OWASP information exposure through URL query strings

Associated CWE

• CWE-598: Use of GET Request Method With Sensitive Query Strings

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_http_get_params

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_http_get_params