A security/vulnerability scan my return the following flag in a report
Query String Parameter in HTTPS Request
Sensitive information is sent to the server via URL query string parameters.
Data sent as part of URLs may be stored or viewed in multiple places during and after a request
is made to the server.
GET <Server_FQDN>/siteminderagent/forms/smpwservies.fcc?SMENC=UTF-8&USERNAME=<name>$SMENC=UTF-8&SMTOKEN=-SM-%7b ... d&SMAUTHREASON=24&...
a. Parameter: USERNAME
b. Parameter: SMTOKEN
Components: Web Agent; Policy Server
Operating System: ANY
The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.
At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulnerabilities could lead to an attacker impersonating a legitimate user, obtaining proprietary data, or simply executing actions not intended by the application developers.
Remove the Login ID When Redirecting for Password Services
During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.
To remove the login ID when redirecting for password services in Windows
1) Logon on to the Policy Server
2) run 'regedit.exe'
3) Browse to the following registry hive:
4) Create a new DWORD key:
0 — Applies the default behavior of appending the UID to the request URL.
1 — Changes the default behavior so that the UID is not appended to the request URL.
To remove the login ID when redirecting for password services in UNIX
1) Logon to the Policy Server
2) Navigate to:
3) Open 'sm.registry' with a text editor.
4) Browse to the following registry hive:
5) Add the following key:
DisallowUsernameInURL= 0x1; REG_DWORD
0x0 — Applies the default behavior of appending the UID to the request URL.
0x1 — Changes the default behavior so that the UID is not appended to the request URL.