Exposure of Sensitive Information to an Unauthorized Actor
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Storing session IDs in URLs (using methods like encodeURL or encodeRedirectURL) exposes sensitive session information, as URLs can be logged, bookmarked, or leaked to third parties. This makes it easier for attackers to steal user sessions.
Impact#
If an attacker obtains a session ID from the URL, they can hijack user sessions and potentially gain unauthorized access to user accounts or sensitive data. This can lead to data breaches, account compromise, and loss of trust in the application.