| Details | |
|---|---|
| Alert ID | 40013-5 |
| Alert Type | Active |
| Status | beta |
| Risk | Medium |
| CWE | 384 |
| WASC | 37 |
| Technologies Targeted | All |
| Tags |
CWE-384 OWASP_2017_A05 OWASP_2021_A01 OWASP_2025_A01 POLICY_PENTEST WSTG-V42-SESS-03 |
| More Info |
Scan Rule Help |
Summary
A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files.
Solution
Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks.Other Info
url field [jsessionid] contains an exposed session identifier [valueB] The url on which the issue was discovered was flagged as a logon page.References
- https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
- https://owasp.org/www-community/attacks/Session_fixation
- https://acrossecurity.com/papers/session_fixation.pdf
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html