The system must not expose session IDs in URLs
and messages presented to the user.
Session IDs are sensitive information that may allow an attacker to steal,
modify and/or destroy information once they get one.
Information sent via URL parameters is:
stored in clear text in the browser history.
sent to external sites via the referrer HTTP header.
sent to external sites via the search bar if the browser interprets the
URL as query.
visible to scripts running on the browser that may belong to
Therefore, session IDs should neither be sent via URL parameters,
nor displayed as messages presented to the user nor stored in logs.
F017. Sensitive information sent insecurely
F030. Sensitive information sent via URL parameters
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
The product exposes sensitive information to an actor that is not explicitly
authorized to have access to that information.
CWE-319: Cleartext Transmission of Sensitive Information.
The software transmits sensitive or security-critical data in cleartext in a
communication channel that can be sniffed by unauthorized actors.
CWE-598: Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes
sensitive information in the query string of that request.
V3.1 Client-side Data Protection.(3.1.1)
Verify the application never reveals session tokens in URL parameters or error
V8.3 Sensitive Private Data.(8.3.1)
Verify that sensitive data is sent to the server in the HTTP message body or
and that query string parameters from any HTTP verb do not contain sensitive
Ready to start with Fluid Attacks?
Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.