Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Unsafe value for session tracking in WEB-INF/web.xml - Vulnerability Database

Unsafe value for session tracking in WEB-INF/web.xml

Description

This web application is configured to support session tracking by cookies and URLs. The session tracking by URL is also known as "URL rewriting" wherein you see the ;jsessionid=id to appear in URLs. This will be triggered automatically when the client has cookies disabled. It's recommended to disable tracking by URL, and explicitly specify a tracking mode by cookie only.

Remediation

Change the value for <strong>tracking-mode</strong> in WEB-INF/web.xml to make sure the JSESSIONID is stored in a cookie: <pre> &lt;session-config&gt; &lt;tracking-mode&gt;COOKIE&lt;/tracking-mode&gt; &lt;/session-config&gt; </pre>

References

Servlet - Session Tracking Modes

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Apache Airflow Experimental API Auth Bypass CVE-2020-13927 High
Common tags: Configuration
Joomla J!Dump extension enabled Medium
Common tags: Configuration
Joomla Debug Console enabled Medium
Common tags: Configuration
Jetty Information Disclosure (CVE-2021-34429) Medium
Common tags: Configuration

Severity

Medium

Classification

CWE-16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration