What attacks are made possible by public release of my web history?











up vote
3
down vote

favorite












Assume that my internet history is made public (accidently or on purpose). And this release is over 24 hours since the visits were made.



Also assume that there aren't an embarassing sites on there: there isn't any blackmail potential.



(most embarassing page visited in the last week is actually the TV tropes page for my little pony, for which I have a valid reason and a witness).



What potential attacks does this allow? I'm mildly concerned about seeing massive links like:




https://kdp.amazon.com/en_US/ap-post-redirect?openid.assoc_handle=amzn_dtp&aToken=Atza%7CIwEBIO9mWoekr9KzK7rH_Db0gp93sewMCe6UcFPm_MbUhq-jp1m7kF-x0erh6NbjdLX3bm8Gfo3h7yU1nBYHOWso0LiOyUMLgLIDCEMGKGZBqv1EMyT6-EDajBYsH21sek92r5aH6Ahy9POCGEplpeKBVrAiU-vl3uIfOAHihKnB5r2yXPytFCITXM70wB5HBT-MIX3F1Y2G4WfWA-EgIfZY8bLdLangmgVq8hE61eDIFRzcSDtAf0Sz7_zxm1Ix8lV8XFBS8GSML9YSwZ1Gq6nSt9pG7hTZoGQns9nzKLk7WpAWE8RazDLKxVJD-nDsQ9VdBJe7JZJtD7c77swkYneOZ5HXgeGFkGhKsMnP7GSYndXhC_PqzY251iDt0X7e5TWvh86WZA0tG2qZ_lyIagZtB3iw&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.response_nonce=2018-12-11T13%3A46%3A52Z4004222742336216632&openid.return_to=https%3A%2F%2Fkdp.amazon.com%2Fap-post-redirect&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2CsiteState%2Cns.pape%2Cpape.auth_policies%2Cpape.auth_time%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone&openid.pape.auth_time=2018-12-11T13%3A46%3A52Z&openid.sig=5cx5iHjeLyWTTA9iJ%2BucszunqanOw36djKuNF6%2FOfsM%3D&serial=&siteState=clientContext%3D135-4119325-2722413%2CsourceUrl%3Dhttps%253A%252F%252Fkdp.amazon.com%252Fbookshelf%253Flanguage%253Den_US%2Csignature%3DgqJ53erzurnmO1SPLDK1gLwh9%2FUP6rGUwGF2uZUAAAABAAAAAFwPv8dyYXcAAAAAAsF6s-obfie4v1Ep9rqj




in my history and worrying that secure information might be passed in a URL somewhere.



I am aware that: this makes it easier to impersonate my identity, I'm mostly interested in the leakage of information via the URL itself.










share|improve this question







New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
    – thepip3r
    2 hours ago












  • @thepip3r browser history only - and actually in this use case: url and timestamp pairs.
    – Joe
    1 hour ago










  • "my little pony" Since it's not capitalized, are you literally referring to your little pony?
    – Acccumulation
    6 mins ago















up vote
3
down vote

favorite












Assume that my internet history is made public (accidently or on purpose). And this release is over 24 hours since the visits were made.



Also assume that there aren't an embarassing sites on there: there isn't any blackmail potential.



(most embarassing page visited in the last week is actually the TV tropes page for my little pony, for which I have a valid reason and a witness).



What potential attacks does this allow? I'm mildly concerned about seeing massive links like:




https://kdp.amazon.com/en_US/ap-post-redirect?openid.assoc_handle=amzn_dtp&aToken=Atza%7CIwEBIO9mWoekr9KzK7rH_Db0gp93sewMCe6UcFPm_MbUhq-jp1m7kF-x0erh6NbjdLX3bm8Gfo3h7yU1nBYHOWso0LiOyUMLgLIDCEMGKGZBqv1EMyT6-EDajBYsH21sek92r5aH6Ahy9POCGEplpeKBVrAiU-vl3uIfOAHihKnB5r2yXPytFCITXM70wB5HBT-MIX3F1Y2G4WfWA-EgIfZY8bLdLangmgVq8hE61eDIFRzcSDtAf0Sz7_zxm1Ix8lV8XFBS8GSML9YSwZ1Gq6nSt9pG7hTZoGQns9nzKLk7WpAWE8RazDLKxVJD-nDsQ9VdBJe7JZJtD7c77swkYneOZ5HXgeGFkGhKsMnP7GSYndXhC_PqzY251iDt0X7e5TWvh86WZA0tG2qZ_lyIagZtB3iw&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.response_nonce=2018-12-11T13%3A46%3A52Z4004222742336216632&openid.return_to=https%3A%2F%2Fkdp.amazon.com%2Fap-post-redirect&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2CsiteState%2Cns.pape%2Cpape.auth_policies%2Cpape.auth_time%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone&openid.pape.auth_time=2018-12-11T13%3A46%3A52Z&openid.sig=5cx5iHjeLyWTTA9iJ%2BucszunqanOw36djKuNF6%2FOfsM%3D&serial=&siteState=clientContext%3D135-4119325-2722413%2CsourceUrl%3Dhttps%253A%252F%252Fkdp.amazon.com%252Fbookshelf%253Flanguage%253Den_US%2Csignature%3DgqJ53erzurnmO1SPLDK1gLwh9%2FUP6rGUwGF2uZUAAAABAAAAAFwPv8dyYXcAAAAAAsF6s-obfie4v1Ep9rqj




in my history and worrying that secure information might be passed in a URL somewhere.



I am aware that: this makes it easier to impersonate my identity, I'm mostly interested in the leakage of information via the URL itself.










share|improve this question







New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
    – thepip3r
    2 hours ago












  • @thepip3r browser history only - and actually in this use case: url and timestamp pairs.
    – Joe
    1 hour ago










  • "my little pony" Since it's not capitalized, are you literally referring to your little pony?
    – Acccumulation
    6 mins ago













up vote
3
down vote

favorite









up vote
3
down vote

favorite











Assume that my internet history is made public (accidently or on purpose). And this release is over 24 hours since the visits were made.



Also assume that there aren't an embarassing sites on there: there isn't any blackmail potential.



(most embarassing page visited in the last week is actually the TV tropes page for my little pony, for which I have a valid reason and a witness).



What potential attacks does this allow? I'm mildly concerned about seeing massive links like:




https://kdp.amazon.com/en_US/ap-post-redirect?openid.assoc_handle=amzn_dtp&aToken=Atza%7CIwEBIO9mWoekr9KzK7rH_Db0gp93sewMCe6UcFPm_MbUhq-jp1m7kF-x0erh6NbjdLX3bm8Gfo3h7yU1nBYHOWso0LiOyUMLgLIDCEMGKGZBqv1EMyT6-EDajBYsH21sek92r5aH6Ahy9POCGEplpeKBVrAiU-vl3uIfOAHihKnB5r2yXPytFCITXM70wB5HBT-MIX3F1Y2G4WfWA-EgIfZY8bLdLangmgVq8hE61eDIFRzcSDtAf0Sz7_zxm1Ix8lV8XFBS8GSML9YSwZ1Gq6nSt9pG7hTZoGQns9nzKLk7WpAWE8RazDLKxVJD-nDsQ9VdBJe7JZJtD7c77swkYneOZ5HXgeGFkGhKsMnP7GSYndXhC_PqzY251iDt0X7e5TWvh86WZA0tG2qZ_lyIagZtB3iw&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.response_nonce=2018-12-11T13%3A46%3A52Z4004222742336216632&openid.return_to=https%3A%2F%2Fkdp.amazon.com%2Fap-post-redirect&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2CsiteState%2Cns.pape%2Cpape.auth_policies%2Cpape.auth_time%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone&openid.pape.auth_time=2018-12-11T13%3A46%3A52Z&openid.sig=5cx5iHjeLyWTTA9iJ%2BucszunqanOw36djKuNF6%2FOfsM%3D&serial=&siteState=clientContext%3D135-4119325-2722413%2CsourceUrl%3Dhttps%253A%252F%252Fkdp.amazon.com%252Fbookshelf%253Flanguage%253Den_US%2Csignature%3DgqJ53erzurnmO1SPLDK1gLwh9%2FUP6rGUwGF2uZUAAAABAAAAAFwPv8dyYXcAAAAAAsF6s-obfie4v1Ep9rqj




in my history and worrying that secure information might be passed in a URL somewhere.



I am aware that: this makes it easier to impersonate my identity, I'm mostly interested in the leakage of information via the URL itself.










share|improve this question







New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Assume that my internet history is made public (accidently or on purpose). And this release is over 24 hours since the visits were made.



Also assume that there aren't an embarassing sites on there: there isn't any blackmail potential.



(most embarassing page visited in the last week is actually the TV tropes page for my little pony, for which I have a valid reason and a witness).



What potential attacks does this allow? I'm mildly concerned about seeing massive links like:




https://kdp.amazon.com/en_US/ap-post-redirect?openid.assoc_handle=amzn_dtp&aToken=Atza%7CIwEBIO9mWoekr9KzK7rH_Db0gp93sewMCe6UcFPm_MbUhq-jp1m7kF-x0erh6NbjdLX3bm8Gfo3h7yU1nBYHOWso0LiOyUMLgLIDCEMGKGZBqv1EMyT6-EDajBYsH21sek92r5aH6Ahy9POCGEplpeKBVrAiU-vl3uIfOAHihKnB5r2yXPytFCITXM70wB5HBT-MIX3F1Y2G4WfWA-EgIfZY8bLdLangmgVq8hE61eDIFRzcSDtAf0Sz7_zxm1Ix8lV8XFBS8GSML9YSwZ1Gq6nSt9pG7hTZoGQns9nzKLk7WpAWE8RazDLKxVJD-nDsQ9VdBJe7JZJtD7c77swkYneOZ5HXgeGFkGhKsMnP7GSYndXhC_PqzY251iDt0X7e5TWvh86WZA0tG2qZ_lyIagZtB3iw&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AEK7TIVVPUJDAK3JIFQIQ77WZWDQ&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.response_nonce=2018-12-11T13%3A46%3A52Z4004222742336216632&openid.return_to=https%3A%2F%2Fkdp.amazon.com%2Fap-post-redirect&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2CsiteState%2Cns.pape%2Cpape.auth_policies%2Cpape.auth_time%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone&openid.pape.auth_time=2018-12-11T13%3A46%3A52Z&openid.sig=5cx5iHjeLyWTTA9iJ%2BucszunqanOw36djKuNF6%2FOfsM%3D&serial=&siteState=clientContext%3D135-4119325-2722413%2CsourceUrl%3Dhttps%253A%252F%252Fkdp.amazon.com%252Fbookshelf%253Flanguage%253Den_US%2Csignature%3DgqJ53erzurnmO1SPLDK1gLwh9%2FUP6rGUwGF2uZUAAAABAAAAAFwPv8dyYXcAAAAAAsF6s-obfie4v1Ep9rqj




in my history and worrying that secure information might be passed in a URL somewhere.



I am aware that: this makes it easier to impersonate my identity, I'm mostly interested in the leakage of information via the URL itself.







web-browser url historical






share|improve this question







New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









Joe

1164




1164




New contributor




Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
    – thepip3r
    2 hours ago












  • @thepip3r browser history only - and actually in this use case: url and timestamp pairs.
    – Joe
    1 hour ago










  • "my little pony" Since it's not capitalized, are you literally referring to your little pony?
    – Acccumulation
    6 mins ago


















  • Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
    – thepip3r
    2 hours ago












  • @thepip3r browser history only - and actually in this use case: url and timestamp pairs.
    – Joe
    1 hour ago










  • "my little pony" Since it's not capitalized, are you literally referring to your little pony?
    – Acccumulation
    6 mins ago
















Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
– thepip3r
2 hours ago






Is it just your browser history or it a complete account/host compromise? It matters because, while your browser history might not provide much (unless you're into obscure porn), if they had access to your computer/profile, cookies, key loggers, screen scrapers are a whole different ballgame.
– thepip3r
2 hours ago














@thepip3r browser history only - and actually in this use case: url and timestamp pairs.
– Joe
1 hour ago




@thepip3r browser history only - and actually in this use case: url and timestamp pairs.
– Joe
1 hour ago












"my little pony" Since it's not capitalized, are you literally referring to your little pony?
– Acccumulation
6 mins ago




"my little pony" Since it's not capitalized, are you literally referring to your little pony?
– Acccumulation
6 mins ago










4 Answers
4






active

oldest

votes

















up vote
7
down vote













Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.



And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.



So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.



By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:



https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html



That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.



Here is OWASP's official page on this vulnerability:




The parameter values for 'user', 'authz_token', and 'expire' will be
exposed in the following locations when using HTTP or HTTPS:



Referer

Header
Web Logs
Shared Systems
Browser History
Browser Cache

Shoulder Surfing







share|improve this answer



















  • 2




    The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
    – thepip3r
    2 hours ago












  • @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
    – Joe
    1 hour ago










  • @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
    – Joe
    58 mins ago










  • @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
    – schroeder
    25 mins ago










  • @thepip3r added a note, thanks!
    – schroeder
    23 mins ago


















up vote
1
down vote













Quite a bit actually:




  • Extortion based off content

  • Mapping systems that are not public

  • Sensitive parameters in certain requests

  • Personal information


Extortion



That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.



Mapping systems that are not public



How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.



Sensitive parameters in certain requests



If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.



Personal information



I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?






share|improve this answer




























    up vote
    0
    down vote













    Having your browsing history exposed means the attacker has in possession the list of url's your browser has accessed. From a complex url an attacker can identify these information:




    1. Protocol

    2. Subdomain

    3. Domain

    4. Port

    5. Path

    6. Parameters of a query

    7. Fragment


    enter image description here



    Now, your privacy depends on the way the developer has built the site.



    If you logged in in a website that has an url like this:



    www.example.com/?login=**myusers**&password=**mypassword**


    then the attacker has your credentials for that site.



    Some of possible attacks would be:




    1. sql injection

    2. URL Manipulation

    3. Directory Traversal

    4. Identify theft


    In simple words, your privacy/risk depends on the security level the site has.






    share|improve this answer



















    • 2




      All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
      – AndrolGenhald
      2 hours ago












    • Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
      – Vini7
      2 hours ago






    • 2




      Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
      – AndrolGenhald
      2 hours ago


















    up vote
    -1
    down vote













    To add to the post about information leakage in URL:



    An attacker that has this may:



    1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]



    2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"



    3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"



    Could be more depending on what's in there.






    share|improve this answer























    • I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
      – schroeder
      22 mins ago










    • @schroeder I didn't see that the question asked for only information that would need parameters.
      – Acccumulation
      2 mins ago











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Joe is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199557%2fwhat-attacks-are-made-possible-by-public-release-of-my-web-history%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    7
    down vote













    Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.



    And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.



    So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.



    By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:



    https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html



    That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.



    Here is OWASP's official page on this vulnerability:




    The parameter values for 'user', 'authz_token', and 'expire' will be
    exposed in the following locations when using HTTP or HTTPS:



    Referer

    Header
    Web Logs
    Shared Systems
    Browser History
    Browser Cache

    Shoulder Surfing







    share|improve this answer



















    • 2




      The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
      – thepip3r
      2 hours ago












    • @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
      – Joe
      1 hour ago










    • @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
      – Joe
      58 mins ago










    • @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
      – schroeder
      25 mins ago










    • @thepip3r added a note, thanks!
      – schroeder
      23 mins ago















    up vote
    7
    down vote













    Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.



    And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.



    So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.



    By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:



    https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html



    That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.



    Here is OWASP's official page on this vulnerability:




    The parameter values for 'user', 'authz_token', and 'expire' will be
    exposed in the following locations when using HTTP or HTTPS:



    Referer

    Header
    Web Logs
    Shared Systems
    Browser History
    Browser Cache

    Shoulder Surfing







    share|improve this answer



















    • 2




      The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
      – thepip3r
      2 hours ago












    • @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
      – Joe
      1 hour ago










    • @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
      – Joe
      58 mins ago










    • @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
      – schroeder
      25 mins ago










    • @thepip3r added a note, thanks!
      – schroeder
      23 mins ago













    up vote
    7
    down vote










    up vote
    7
    down vote









    Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.



    And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.



    So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.



    By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:



    https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html



    That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.



    Here is OWASP's official page on this vulnerability:




    The parameter values for 'user', 'authz_token', and 'expire' will be
    exposed in the following locations when using HTTP or HTTPS:



    Referer

    Header
    Web Logs
    Shared Systems
    Browser History
    Browser Cache

    Shoulder Surfing







    share|improve this answer














    Your question might be more undefined than you realise. Any kind of data can be passed using URL parameters. Usernames, passwords, authentication tokens, settings, form data, or anything the web developer chooses. It's not always good practice to use URL parameters to for this, but it is always possible.



    And it's entirely up to each individual web developer on each individual page (not just site) as to what might be exposed and when. So you might not be able to predict what might be exposed.



    So, to answer your question, in the worst case, you could experience a complete and utter disclosure of any amount of personal data including credentials.



    By request, I did a search for the practice of "passwords in URL parameters" and restricted results to this year. Here's one of the top hits:



    https://answers.splunk.com/answers/622600/how-to-pass-username-and-password-as-a-parameter-v.html



    That's a forum from Feb 2018 from a major, publicly traded company talking about how to do this.



    Here is OWASP's official page on this vulnerability:




    The parameter values for 'user', 'authz_token', and 'expire' will be
    exposed in the following locations when using HTTP or HTTPS:



    Referer

    Header
    Web Logs
    Shared Systems
    Browser History
    Browser Cache

    Shoulder Surfing








    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 26 mins ago

























    answered 3 hours ago









    schroeder

    72.2k29157192




    72.2k29157192








    • 2




      The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
      – thepip3r
      2 hours ago












    • @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
      – Joe
      1 hour ago










    • @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
      – Joe
      58 mins ago










    • @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
      – schroeder
      25 mins ago










    • @thepip3r added a note, thanks!
      – schroeder
      23 mins ago














    • 2




      The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
      – thepip3r
      2 hours ago












    • @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
      – Joe
      1 hour ago










    • @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
      – Joe
      58 mins ago










    • @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
      – schroeder
      25 mins ago










    • @thepip3r added a note, thanks!
      – schroeder
      23 mins ago








    2




    2




    The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
    – thepip3r
    2 hours ago






    The only thing I'd add to this is that the problem is also worse because while you're correct that any data can be passed via URL, the problem is compounded by the fact that what information is passed via a URL and whether and how it is secured is up to each individual company you're visiting and furthermore, the standards of the web programmers who developed each page. So you could never say by looking at one URL that there wasn't any sensitive data passed--you couldn't even say that about different URLs from the same site...
    – thepip3r
    2 hours ago














    @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
    – Joe
    1 hour ago




    @thepip3r - oh that's interesting - so you are saying that there might be information visible only to employees of that site... cute...
    – Joe
    1 hour ago












    @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
    – Joe
    58 mins ago




    @schroeder - I think you probably have the key point - what would make this a really great answer for me is a couple of examples of like 'news story were site was critised for leakage' or 'famous site has this url flaw briefly'
    – Joe
    58 mins ago












    @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
    – schroeder
    25 mins ago




    @Joe OWASP has an official page for this (added to my answer) and the use of URL parameters was so widespread that I'm not even sure that it would be "newsworthy". It's just considered really poor practice.
    – schroeder
    25 mins ago












    @thepip3r added a note, thanks!
    – schroeder
    23 mins ago




    @thepip3r added a note, thanks!
    – schroeder
    23 mins ago












    up vote
    1
    down vote













    Quite a bit actually:




    • Extortion based off content

    • Mapping systems that are not public

    • Sensitive parameters in certain requests

    • Personal information


    Extortion



    That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.



    Mapping systems that are not public



    How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.



    Sensitive parameters in certain requests



    If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.



    Personal information



    I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?






    share|improve this answer

























      up vote
      1
      down vote













      Quite a bit actually:




      • Extortion based off content

      • Mapping systems that are not public

      • Sensitive parameters in certain requests

      • Personal information


      Extortion



      That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.



      Mapping systems that are not public



      How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.



      Sensitive parameters in certain requests



      If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.



      Personal information



      I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?






      share|improve this answer























        up vote
        1
        down vote










        up vote
        1
        down vote









        Quite a bit actually:




        • Extortion based off content

        • Mapping systems that are not public

        • Sensitive parameters in certain requests

        • Personal information


        Extortion



        That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.



        Mapping systems that are not public



        How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.



        Sensitive parameters in certain requests



        If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.



        Personal information



        I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?






        share|improve this answer












        Quite a bit actually:




        • Extortion based off content

        • Mapping systems that are not public

        • Sensitive parameters in certain requests

        • Personal information


        Extortion



        That search of yours that may be embarrassing and taken out of context. A WebMD search for a medical condition you don't want made known to co-workers for example. A search that was best done in incognito mode you forgot about.



        Mapping systems that are not public



        How about your works intranet site or that production web portal, well those names are going to pop up in your history now and if its something like Jenkins - thats a great candidate for a DNS rebind attack.



        Sensitive parameters in certain requests



        If you visit a site that just does the internet wrong and the parameter contains an API key, password, credential or just an account ID well that is captured and can be used now.



        Personal information



        I see you've been searching for holidays in March for 2 weeks - that would be a great time to break in to your house or impersonate you. Looking for an engagement ring well that sounds like something worth stealing. You did a google map from your address to another location?







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        McMatty

        2,4851213




        2,4851213






















            up vote
            0
            down vote













            Having your browsing history exposed means the attacker has in possession the list of url's your browser has accessed. From a complex url an attacker can identify these information:




            1. Protocol

            2. Subdomain

            3. Domain

            4. Port

            5. Path

            6. Parameters of a query

            7. Fragment


            enter image description here



            Now, your privacy depends on the way the developer has built the site.



            If you logged in in a website that has an url like this:



            www.example.com/?login=**myusers**&password=**mypassword**


            then the attacker has your credentials for that site.



            Some of possible attacks would be:




            1. sql injection

            2. URL Manipulation

            3. Directory Traversal

            4. Identify theft


            In simple words, your privacy/risk depends on the security level the site has.






            share|improve this answer



















            • 2




              All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
              – AndrolGenhald
              2 hours ago












            • Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
              – Vini7
              2 hours ago






            • 2




              Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
              – AndrolGenhald
              2 hours ago















            up vote
            0
            down vote













            Having your browsing history exposed means the attacker has in possession the list of url's your browser has accessed. From a complex url an attacker can identify these information:




            1. Protocol

            2. Subdomain

            3. Domain

            4. Port

            5. Path

            6. Parameters of a query

            7. Fragment


            enter image description here



            Now, your privacy depends on the way the developer has built the site.



            If you logged in in a website that has an url like this:



            www.example.com/?login=**myusers**&password=**mypassword**


            then the attacker has your credentials for that site.



            Some of possible attacks would be:




            1. sql injection

            2. URL Manipulation

            3. Directory Traversal

            4. Identify theft


            In simple words, your privacy/risk depends on the security level the site has.






            share|improve this answer



















            • 2




              All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
              – AndrolGenhald
              2 hours ago












            • Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
              – Vini7
              2 hours ago






            • 2




              Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
              – AndrolGenhald
              2 hours ago













            up vote
            0
            down vote










            up vote
            0
            down vote









            Having your browsing history exposed means the attacker has in possession the list of url's your browser has accessed. From a complex url an attacker can identify these information:




            1. Protocol

            2. Subdomain

            3. Domain

            4. Port

            5. Path

            6. Parameters of a query

            7. Fragment


            enter image description here



            Now, your privacy depends on the way the developer has built the site.



            If you logged in in a website that has an url like this:



            www.example.com/?login=**myusers**&password=**mypassword**


            then the attacker has your credentials for that site.



            Some of possible attacks would be:




            1. sql injection

            2. URL Manipulation

            3. Directory Traversal

            4. Identify theft


            In simple words, your privacy/risk depends on the security level the site has.






            share|improve this answer














            Having your browsing history exposed means the attacker has in possession the list of url's your browser has accessed. From a complex url an attacker can identify these information:




            1. Protocol

            2. Subdomain

            3. Domain

            4. Port

            5. Path

            6. Parameters of a query

            7. Fragment


            enter image description here



            Now, your privacy depends on the way the developer has built the site.



            If you logged in in a website that has an url like this:



            www.example.com/?login=**myusers**&password=**mypassword**


            then the attacker has your credentials for that site.



            Some of possible attacks would be:




            1. sql injection

            2. URL Manipulation

            3. Directory Traversal

            4. Identify theft


            In simple words, your privacy/risk depends on the security level the site has.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 hours ago









            AndrolGenhald

            8,98241831




            8,98241831










            answered 2 hours ago









            Vini7

            543412




            543412








            • 2




              All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
              – AndrolGenhald
              2 hours ago












            • Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
              – Vini7
              2 hours ago






            • 2




              Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
              – AndrolGenhald
              2 hours ago














            • 2




              All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
              – AndrolGenhald
              2 hours ago












            • Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
              – Vini7
              2 hours ago






            • 2




              Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
              – AndrolGenhald
              2 hours ago








            2




            2




            All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
            – AndrolGenhald
            2 hours ago






            All of the attacks you list are attacks that could be possible against sites that he visited, none of them are attacks against him made possible by disclosure of the urls. URL Manipulation could be relevant, but I don't see how sql injection or directory traversal are.
            – AndrolGenhald
            2 hours ago














            Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
            – Vini7
            2 hours ago




            Bad security of a site, brings automatically a threat to the users whom have information stored on that site.
            – Vini7
            2 hours ago




            2




            2




            Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
            – AndrolGenhald
            2 hours ago




            Absolutely, but that threat exists with or without OP's browser history being exposed. The browser history may allow someone targeting him to look for vulnerabilities in those specific sites because they know he has an account there, but I certainly wouldn't say "sql injection is made possible by public release of browser history".
            – AndrolGenhald
            2 hours ago










            up vote
            -1
            down vote













            To add to the post about information leakage in URL:



            An attacker that has this may:



            1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]



            2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"



            3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"



            Could be more depending on what's in there.






            share|improve this answer























            • I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
              – schroeder
              22 mins ago










            • @schroeder I didn't see that the question asked for only information that would need parameters.
              – Acccumulation
              2 mins ago















            up vote
            -1
            down vote













            To add to the post about information leakage in URL:



            An attacker that has this may:



            1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]



            2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"



            3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"



            Could be more depending on what's in there.






            share|improve this answer























            • I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
              – schroeder
              22 mins ago










            • @schroeder I didn't see that the question asked for only information that would need parameters.
              – Acccumulation
              2 mins ago













            up vote
            -1
            down vote










            up vote
            -1
            down vote









            To add to the post about information leakage in URL:



            An attacker that has this may:



            1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]



            2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"



            3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"



            Could be more depending on what's in there.






            share|improve this answer














            To add to the post about information leakage in URL:



            An attacker that has this may:



            1: Extract what sites you use to try and log into to see if you are using the same creds [assumes attacker has captured a cred]



            2: This info grants much more advanced knowledge for creating phishing attacks EX: "you've been selected to screen the new MLP season [whatever]"



            3: Possible physical tracking based on sites "oh their kid goes to "little gals daycare" because I see them log into to pay that bill"



            Could be more depending on what's in there.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 3 hours ago

























            answered 3 hours ago









            bashCypher

            662111




            662111












            • I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
              – schroeder
              22 mins ago










            • @schroeder I didn't see that the question asked for only information that would need parameters.
              – Acccumulation
              2 mins ago


















            • I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
              – schroeder
              22 mins ago










            • @schroeder I didn't see that the question asked for only information that would need parameters.
              – Acccumulation
              2 mins ago
















            I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
            – schroeder
            22 mins ago




            I'm not sure how the URL parameters provide all that. Just the URLs would be enough.
            – schroeder
            22 mins ago












            @schroeder I didn't see that the question asked for only information that would need parameters.
            – Acccumulation
            2 mins ago




            @schroeder I didn't see that the question asked for only information that would need parameters.
            – Acccumulation
            2 mins ago










            Joe is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Joe is a new contributor. Be nice, and check out our Code of Conduct.













            Joe is a new contributor. Be nice, and check out our Code of Conduct.












            Joe is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199557%2fwhat-attacks-are-made-possible-by-public-release-of-my-web-history%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

            Mangá

            Eduardo VII do Reino Unido