These forums are read-only and considered to be an archive. Please use the new Community for future interaction and posts.

Security: sessionid being display in url

Hi Folks

We just received this as a result of a security audit:


 
Finding: Session Token In URL 
Category: Coding Practice
Severity:    High
Target(s):    http://www.mysite.com/FileVistaControl/upload.aspx

Description:    The URL in the request contains a session token within the query string Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Remediation:    The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Test Notes:    See Finding: Session Fixation. Below is a copy of the request and response received during testing.

Request:
POST /FileVistaControl/upload.aspx?rootFolderID=0&relativePath=New+Folder%2fpentest&ASP.NET_SessionId=idph03riotfcn5qloausxvm5&FT.Active=1&FT.OverrideProvider=1&FT.UploadID=13547255765589165 HTTP/1.1

Host: www.mysite.com
Proxy-Connection: keep-alive
Content-Length: 469
Origin: http://www.mysite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
Content-Type: multipart/form-data; boundary=----------Ef1KM7Ij5Ij5ei4Ef1ei4ae0cH2ei4
Accept: */*
Referer: http://www.mysite.com/FileVistaControl/upload.aspx?rootFolderID=0&relativePath=New%20Folder%2Fpentest&refresh=1 



Rob Karatzas 1/14/2013 6:39 AM
Hi Rob,
I see that you are using a very old version (earlier than v2.1) of FileUltimate (old name was FileVistaControl). The cookies were added to the URL for handling the Flash cookie bug. However in later versions we found a better workaround and cookies are not visible in the URL. I recommend you to upgrade.
Cem Alacayir 1/14/2013 7:22 AM
thank you

it looks like we are using Version 1.9, from March 22, 2010.

will ask my boss to get the upgrade details.

Rob
Rob Karatzas 1/14/2013 8:11 AM