Details
Alert Id 3
Alert Type Passive Scan Rule
Status release
Risk Medium
CWE 200
WASC 13

Summary

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

References

Code

org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java