Session ID in URL Rewrite
See original GitHub issueYou want to:
- report a bug
- request a feature
Current behaviour
socket.io will add ?sid=
to the url when trying to connect
Steps to reproduce (if the current behaviour is a bug)
Normal use of socket.io client for javascript
Expected behaviour
Can we move the sid to header ?
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Context: We ran penn test against our socket app using ZAProxy. One of the alert we got is this:
Session ID in URL Rewrite:
URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
adding sid to url is problematic according to zaproxy.
my url is like this:
http://localhost:3000/socket.io/?channel=widget&EIO=3&transport=websocket&sid=0JfeAmWw8EceWQkTAAAA
can someone explain the security risk if someone can get other people’s sid ? can it be used to listen/publish or get older messages ? can we move the sid to Header ?
thanks
Issue Analytics
- State:
- Created 5 years ago
- Reactions:7
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Session ID in URL Rewrite - OWASP ZAP
Session ID in URL Rewrite. Docs > Alerts. Details. Scan Rule Id, 3. Alert Type, Passive. Status, release. Alerts. 3-1 Session ID in...
Read more >Url Rewriting - Does that cause a security issue?
When URL rewriting of session cookies is enabled, the URL could be transmitted (with the session identifier) to other sites, resulting in ...
Read more >Using URL rewriting for session management
With URL rewriting, all links that are returned to the browser or that get redirected have the session ID appended to them. When...
Read more >Session ID in the URL : is it a vulnerability ? | julienprog
When first authenticated, the website reveals in the URL a sensitive information “the session ID”. This is a security risk according to OWASP ......
Read more >URL rewriting - Session IDs exposed in the URL - Rapid7
URL rewriting - Session IDs exposed in the URL ; Modified. 10/01/2016 ; Description. The Session Tokens (Cookie, SessionID, Hidden Field), if exposed,...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
any news?
Closed due to inactivity, please reopen if needed.