Skip to content

Latest commit

 

History

History
35 lines (24 loc) · 1.48 KB

session-token-in-url.md

File metadata and controls

35 lines (24 loc) · 1.48 KB
name severity cvss-score cvss-vector cwe-id cwe-name compliance
Session Token in URL
medium
5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
HIPAA ISO 27001 owasp10 pci PCI v4.0
164.306(a)
A.8.2, A.8.3
A2, A7
6.5.10
pci4-6.2.4

Sensitive information transmitted in the URL may be logged in different locations such as the browser history, the web server logs and any proxy present between the client and the application. It may also be sent to third party sites through the referer header, just by following a link in the application.

It is also easier to inadvertently share the URL with the sensitive information with an accidental copy-paste or by sharing the URL in a social application.

In this case, the sensitive information is a session token. If the attacker gets this session token it can hijack the victim session and authenticate in the application as if was the victim, accessing is account.

How to fix

{% tabs session-token-in-url %} {% tab session-token-in-url generic %} Applications should replace the usage of session tokens in the URL by session cookies, which is the recommended method to transmit session tokens in HTTP requests.

The application should set a cookie using the adequate programming language function, which will result in an HTTP response with something similar to Set-Cookie: sessionid=cppynyovhdltchrlezxusy44; HttpOnly; Secure.

{% endtab %}

{% endtabs %}