Query string definition
A query string is a part of a URL that assigns values to specified parameters. It usually starts with a question mark (?) followed by key-value pairs. Each pair is separated by an ampersand (&), and within each pair, the key and value are connected by an equals sign (=).
In the URL:
https://www.example.com/page?param1=value1¶m2=value2
The query string is ?param1=value1¶m2=value2.
Query strings send data to the server to customize the response. For example, a query string carries the search terms, indicates the sorting order of products, or shows the current page number of a multi-page list of items.
See also: XSS, SQL injection, cross-site request forgery
Query string vulnerabilities
- Information disclosure. Query strings are visible in the browser's address bar, bookmarks, browsing history, and referral logs. If sensitive data (passwords, authentication tokens, or personally identifiable information) is passed in the query string, it can be exposed to any person with access to the URLs.
- URL length limitations. Browsers and servers often have a maximum URL length — around 2000 characters. Large amounts of data in a query string can result in URLs exceeding these limits, causing server errors or truncated data.
- Web server log exposure. Web servers typically log URLs accessed, including the query string. If sensitive information isn't secured correctly in the query string, it could be stored in server logs and become a source of data leaks.
- Manipulation. Users or attackers can easily modify and exploit query strings if the application acts on the query string without validating or sanitizing it.
- Inefficient data transmission. Sending large amounts of data through query strings is less efficient than using POST requests, which can handle much larger payloads.
- Cross-site scripting (XSS). If a web application doesn't properly validate or escape data from query strings before displaying it on a webpage, it can be vulnerable to XSS attacks. Attackers can inject malicious scripts via query parameters executed in a user's browser.
- SQL injection. If the application uses raw query string data in database queries without proper validation and parameterization, it might be vulnerable to SQL injection attacks.
- CSRF (cross-site request forgery). Using query strings for critical operations can make it easier for attackers to craft malicious URLs that, if clicked by an unsuspecting user, may perform unwanted actions on the website on behalf of the logged-in user.