Details
Alert ID 3-3
Alert Type Passive
Status release
Risk Medium
CWE 598
WASC 13
Technologies Targeted All
Tags CWE-598
OWASP_2017_A03
OWASP_2021_A01
POLICY_DEV_STD
POLICY_PENTEST
POLICY_QA_STD
SYSTEMIC
WSTG-V42-SESS-04
More Info Scan Rule Help

Summary

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Solution

This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java