This article is a part of our Web Security Knowledge Base (back to index)
Why “Session ID in URL Rewrite” can be dangerous
URL Rewrite is a process of modifying URLs while loading a page. It is used to track user’s sessions by making it possible for the server to recognize requests from one session. There are many scenarios where this can lead to a session fixation. The session fixation[link to Session Fixation] is an attack where the attacker is able to take over the session and perform further attacks being already authenticated.
How to fix “Session ID in URL Rewrite”
Ensure using HTTPS on your website.
Store session ID in a cookie.
For even more security use the combination of cookie and URL rewrite.
How does ScanRepeat report “Session ID in URL Rewrite”
ScanRepeats performs passive scanning and looks for session ID tokens in the HTTP request. It reports every occurrence of such a vulnerability providing the evidence and the HTTP request URL.
Would you like to test your application now against this problem? Sign up for our free trial
Scan Your Web App Now