Session Management / Session Token in URL
Description
Session token in URL (CWE-613) is a web and API vulnerability that occurs when an application passes a user's session token in the URL instead of using a secure cookie. This allows malicious users to gain access to the user's session token, which can be used to gain unauthorized access. This vulnerability is closely related to the OWASP Testing Guide’s Testing for Session Management Vulnerabilities (OTG-SESS-001).
Risk
This vulnerability is a high-risk vulnerability and can lead to serious consequences, such as data breaches and session hijacking. Session hijacking can lead to information leakage and identity theft.
Solution
The best way to protect against this vulnerability is to avoid passing session tokens in URLs. Instead, store the session token securely in a cookie. It is also important to use HTTPS to protect against session hijacking.
Example
The following code example is an example of the Session token in URL vulnerability from CVE-2018-19166.
GET /index.php?action=login&session=token