Details
Alert Id 3
Alert Type Passive
Status release
Risk Medium
CWE 200
WASC 13
Tags OWASP_2017_A03
OWASP_2021_A01
WSTG-V42-SESS-04

Summary

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

References

Code

org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java