Summary #

Invicti detected that the web application is configured to support session tracking by cookies and URLs.

The session tracking by URL is also known as "URL rewriting" wherein you see the jsessionid=id to appear in URLs. This will be triggered automatically when the client has cookies disabled. It's recommended to disable tracking by URL, and explicitly specify a tracking mode by cookie only.

Impact #

If the session id is stored in a URL parameter it could be inadvertently saved in a number of locations including the browser history, proxy server logs, referrer logs, web logs, etc. Accidental disclosure of the session id makes the application more vulnerable to session hijacking attacks.

Actions To Take #

Change the value for tracking-mode in WEB-INF/web.xml to make sure the JSESSIONID is stored in a cookie:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>
Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo