Exposed Session Token

medium Web App Scanning Plugin ID 112799

Language:

Synopsis

Exposed Session Token

Description

Web applications use sessions to retain information about each user, keep track of their activity or define proper access rights and permissions. Each session has an identifier (token or ID) defined by the application to bind users to their HTTP traffic, being temporarily equivalent to the strongest authentication method used by the application for authenticated sessions.

URLs are often used to exchange information between the user and the application and may sometimes include session tokens. As URLs can be logged or disclosed in various locations (like proxy and server web logs, referer HTTP header...), sensitive session tokens could be leaked and used by malicious actors to try to conduct session fixation or hijacking attacks.

Solution

Session tokens should be transmitted through alternative methods which do not expose it, preferring HTTP cookies as they allow to manage token expiration properties.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

https://www.owasp.org/index.php/Session_fixation

Plugin Details

Severity: Medium

ID: 112799

Type: remote

Family: Authentication & Session

Published: 6/1/2021

Updated: 11/26/2021

Scan Template: api, basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 200, 598

OWASP: 2010-A6, 2010-A9, 2013-A5, 2013-A6, 2017-A3, 2017-A6, 2021-A1, 2021-A4

WASC: Information Leakage, Insufficient Transport Layer Protection

CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460, APSC-DV-002480

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-SI-15

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

OWASP ASVS: 4.0.2-3.1.1, 4.0.2-8.3.4

PCI-DSS: 3.2-6.5.4, 3.2-6.5.8