R032. Avoid session ID leakages


The system must not expose session IDs in URLs and messages presented to the user.


Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they get one. Information sent via URL parameters is:

  • stored in clear text in the browser history.

  • sent to external sites via the referrer HTTP header.

  • sent to external sites via the search bar if the browser interprets the URL as query.

  • visible to scripts running on the browser that may belong to third-parties.

Therefore, session IDs should neither be sent via URL parameters, nor displayed as messages presented to the user nor stored in logs.


  1. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  2. CWE-319: Cleartext Transmission of Sensitive Information. The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

  3. CWE-598: Use of GET Request Method With Sensitive Query Strings The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

  4. OWASP-ASVS v4.0.1 V3.1 Client-side Data Protection.(3.1.1) Verify the application never reveals session tokens in URL parameters or error messages.

  5. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.1) Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy