Medium "OWASP Session Management Testing
OWASP Authentication Testing" Session tokens are unique pieces of information shared between the browser and the server. They make it possible to track user activity and differentiate between users. If you place a session token directly in the URL, it increases the risk of an attacker capturing and exploiting it. Anyone who follows that URL inherits the session. When you connect to the web server using HTTPS the risk is less than if you use HTTP but it is still a threat. Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method. "1. We visited the URL and captured the request in Burp Suite.
We noticed that session token was there in the GET Request." Proof of Concepts is attached along with this Tracker.
Medium "OWASP Session Management Testing OWASP Authentication Testing" Session tokens are unique pieces of information shared between the browser and the server. They make it possible to track user activity and differentiate between users. If you place a session token directly in the URL, it increases the risk of an attacker capturing and exploiting it. Anyone who follows that URL inherits the session. When you connect to the web server using HTTPS the risk is less than if you use HTTP but it is still a threat. Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method. "1. We visited the URL and captured the request in Burp Suite.
Estimate 2