The system must not expose session IDs in URLs and messages presented to the user.
Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent via URL parameters is:
- Stored in clear text in the browser history.
- Sent to external sites via the referrer HTTP header.
- Sent to external sites via the search bar if the browser interprets the URL as a query.
- Visible to scripts running on the browser that may belong to third-parties. Therefore, session IDs should not be sent via URL parameters, nor be displayed as messages presented to the user, nor stored in logs.
This requirement is verified in following services
- CWE™-200. Exposure of sensitive information to an unauthorized actor
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A3. Injection
- OWASP-M TOP 10-M2. Insecure data storage
- NIST Framework-PR_DS-5. Protections against data leaks are implemented
- CERT-J-IDS14-J. Do not trust the contents of hidden form fields
- PA-DSS-5_2_10. Broken authentication and session management
- HITRUST CSF-09_v. Electronic messaging
- WASSEC-6_2_2_2. Authorization - Insufficient authorization
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- ISSAF-T_14_1. Web application assessment - URL manipulation
- PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
- OWASP SCP-3. Authentication and password management
- OWASP MASVS-V6_2. Platform interaction requirements
- CWE™-6. Misconfiguration - Insufficient session-ID length
- OWASP API Security Top 10-API3. Excessive Data Exposure
- 017. Sensitive information sent insecurely
- 030. Sensitive information sent via URL parameters
- 276. Sensitive information sent via URL parameters - Session
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.