Risk:
It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive filelocations
It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social securitynumber etc.
GET requests are designed to query the server, while POST requests are for submitting data.
However, aside from the technical purpose, attacking query parameters is easier than body parameters, because sending a link to the originalsite, or posting it in a blog or comment, is easier and has better results than the alternative - in order to attack a request with bodyparameters, an attacker would need to create a page containing a form that will be submitted when visited by the victim.It is a lot harder to convince the victim to visit a page that he doesn't know, than letting him visit the original site. It it therefore notrecommended to support body parameters that arrive in the query string.