| Details | |
|---|---|
| Alert ID | 40013-2 |
| Alert Type | Active |
| Status | beta |
| Risk | Low |
| CWE | 384 |
| WASC | 37 |
| Technologies Targeted | All |
| Tags |
CWE-384 OWASP_2017_A05 OWASP_2021_A01 OWASP_2025_A01 POLICY_PENTEST WSTG-V42-SESS-03 |
| More Info |
Scan Rule Help |
Summary
A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked.
Solution
1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser.Other Info
session identifier cookie field [JSESSIONID], value [valueA] may be accessed using JavaScript in the web browser. The URL on which the issue was discovered was flagged as a logon page.References
- https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
- https://owasp.org/www-community/attacks/Session_fixation
- https://acrossecurity.com/papers/session_fixation.pdf
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html