[ZBXNEXT-8267] Body Parameters Accepted in Query Created: 2023 Feb 10  Updated: 2023 Feb 10

Status: Open
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: 4.0.44, 5.0.31, 6.0.13, 6.4.0rc1
Fix Version/s: None

Type: New Feature Request Priority: Minor
Reporter: Elina Kuzyutkina (Inactive) Assignee: Zabbix Development Team
Resolution: Unresolved Votes: 0
Labels: api, frontend
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate

 Description   

Hi,
Zabbix web is designed to accept body parameters in the query. That is insecure and automatic vulnerability scanners react to it

Risk:
It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive filelocations
It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social securitynumber etc.
GET requests are designed to query the server, while POST requests are for submitting data.
However, aside from the technical purpose, attacking query parameters is easier than body parameters, because sending a link to the originalsite, or posting it in a blog or comment, is easier and has better results than the alternative - in order to attack a request with bodyparameters, an attacker would need to create a page containing a form that will be submitted when visited by the victim.It is a lot harder to convince the victim to visit a page that he doesn't know, than letting him visit the original site. It it therefore notrecommended to support body parameters that arrive in the query string.

Generated at Sun Apr 19 04:24:04 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.