Exposing thesession identifier in a URLis a classic example of anidentification and authentication failurebecause:
Session Hijacking Risk:Attackers can intercept session IDs when exposed in URLs, especially through techniques likereferrer header leaksorlogs.
Session Fixation:If the session ID is predictable or accessible, attackers can force a user to log in with a known ID.
OWASP Top Ten 2021 - Identification and Authentication Failures (A07):Exposing session identifiers makes it easier for attackers to impersonate users.
Secure Implementation:Best practices dictate storing session IDs inHTTP-only cookiesrather than in URLs to prevent exposure.
Other options analysis:
A. Cryptographic failures:This risk involves improper encryption practices, not session management.
B. Insecure design and implementation:Broad category, but this specific flaw is more aligned with authentication issues.
D. Broken access control:Involves authorization flaws rather than authentication or session handling.
CCOA Official Review Manual, 1st Edition References:
Chapter 4: Web Application Security:Covers session management best practices and related vulnerabilities.
Chapter 8: Application Security Testing:Discusses testing for session-related flaws.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit