Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Spring Boot Misconfiguration: Unsafe value for session tracking - Vulnerability Database

Spring Boot Misconfiguration: Unsafe value for session tracking

Description

This Spring Boot application is configured to support session tracking through both cookies and URL rewriting. URL-based session tracking appends the session identifier (e.g., ;jsessionid=ABC123) directly to URLs, which automatically activates when clients have cookies disabled. This configuration creates an unnecessary security risk, as session identifiers should only be transmitted via secure HTTP-only cookies.

Remediation

Configure Spring Boot to use cookie-based session tracking exclusively by setting the server.servlet.session.tracking-modes property in your application properties file (application.properties or application.yml).

For application.properties:

server.servlet.session.tracking-modes=COOKIE
For application.yml:
server:
  servlet:
    session:
      tracking-modes: COOKIE
After making this change, restart the application to apply the configuration. Additionally, ensure that session cookies are configured with the HttpOnly and Secure flags to further protect against cross-site scripting (XSS) and man-in-the-middle attacks.

References

Session Tracking modes in Spring security

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Unrestricted access to Haproxy Data Plane API High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Debugger Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Medium

Classification

CWE-16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration