Referer Exposes Session ID

Risk:
Medium

Type:
Passive

CWE:
CWE-200

Summary: A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Solution: This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.

References: https://seclists.org/webappsec/2002/q4/111

Free security scan for your website

Don't show website scan report rating on the leaderboard