ZAP – Session ID in URL Rewrite

Details
Alert ID	3-2
Alert Type	Passive
Status	release
Risk	Medium
CWE	598
WASC	13
Technologies Targeted	All
Tags	CWE-598 OWASP_2017_A03 OWASP_2021_A01 POLICY_DEV_STD POLICY_PENTEST POLICY_QA_STD SYSTEMIC WSTG-V42-SESS-04
More Info	Scan Rule Help

Summary

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Other Info

References

https://seclists.org/webappsec/2002/q4/111

Code

org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java