undefined | Better HN

0 pointszwp5y ago0 comments

Query params often end in stuff like web server (WAF, load-balancer, reverse proxy, ...) access logs and they might get accidentally exposed.

They shouldn't get exposed of course, but they do. [EDIT: redacted an example of some random dude's access log]

If you search for "password" in there you will likely see a new Mirai bot variant [1] bouncing credentials off the server looking for weblogin.cgi on vulnerable Zyxel devices.

I imagine PA highlit this detail in their post ("weblogin.cgi accepts both HTTP GET and POST") exactly to ensure sure defenders don't restrict themselves to blocking or investigating only the more normal POST mechanism.

[1] https://unit42.paloaltonetworks.com/new-mirai-variant-mukash...

0 comments

ShinTakuya5y ago

Yeah that's a fair point. So the security is worse in that sense, so many ways to leak it. It'd be insanity to put sensitive info in the query params either way. It's just not the appropriate place for them.

j / k navigate · click thread line to collapse