Session Management / Session Token in URL

Web and API

Description

Session token in URL (CWE-613) is a web and API vulnerability that occurs when an application passes a user's session token in the URL instead of using a secure cookie. This allows malicious users to gain access to the user's session token, which can be used to gain unauthorized access. This vulnerability is closely related to the OWASP Testing Guide’s Testing for Session Management Vulnerabilities (OTG-SESS-001).

Risk

This vulnerability is a high-risk vulnerability and can lead to serious consequences, such as data breaches and session hijacking. Session hijacking can lead to information leakage and identity theft.

Solution

The best way to protect against this vulnerability is to avoid passing session tokens in URLs. Instead, store the session token securely in a cookie. It is also important to use HTTPS to protect against session hijacking.

Example

The following code example is an example of the Session token in URL vulnerability from CVE-2018-19166.

GET /index.php?action=login&session=token

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.