Authentication / Password Submitted Using Get Method

Web and API


Password submitted using GET Method is a vulnerability in authentication systems, where passwords are being sent using the GET request. This vulnerability is also known as CWE-521 and was identified in the OWASP Testing Guide in section (Sensitive Data Exposure). This vulnerability can occur when an application does not properly protect passwords, allowing them to be sent in plaintext to a web server. This means that anyone who can access the network can easily obtain the passwords, leading to potential security risks.


The risk associated with this vulnerability is high. This is because passwords are usually sensitive information, and if they are sent in plaintext, anyone who can access the network can easily obtain them. This can lead to unauthorized access to accounts, data leakage, and even identity theft.


The best solution to this vulnerability is to ensure that passwords are never sent using the GET request. This can be done by using an encrypted communication protocol, such as HTTPS, to ensure that the passwords are securely transmitted. Additionally, passwords should never be stored in plaintext on the server, and should instead be stored in a secure encrypted format.


The following code shows an example of a vulnerable web application that sends a password via the GET request:

String url = "" + username + "&password=" + password;
HttpGet request = new HttpGet(url);
HttpResponse response = httpClient.execute(request);

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.