Session token sent in url

Description

During the scan, Cytrix managed to find that a Session token is being sent in the URL.
Sensitive information within URLs could be logged in various locations, including the user’s browser, the web server, and any (forward or reverse) proxy servers between the two endpoints.

This vulnerability could allow attackers to steal the Session token. That, will allow them to redirect users to malicious and external websites which could lead to creating a wide array of attack vectors.

Severity/Score

CVSS Version 3.x – 5.3 Medium

Recommendation

Applications should use an alternative much safer mechanism for transferring session tokens. Mechanisms such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

References

https://cwe.mitre.org/data/definitions/200.html

< Return to all Vulnerabilities

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »