ZAP – Referer Exposes Session ID

Details
Alert ID	3-3
Alert Type	Passive
Status	release
Risk	Medium
CWE	200
WASC	13
Technologies Targeted	All
Tags	CWE-200 OWASP_2017_A03 OWASP_2021_A01 WSTG-V42-SESS-04
More Info	Scan Rule Help

Summary

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Solution

This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.

Other Info

References

https://seclists.org/webappsec/2002/q4/111

Code

org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java