CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length

Abstraction:
Variant

Structure:
Simple

Status:
Incomplete

Weakness Name: J2EE Misconfiguration: Insufficient Session-ID Length

Description: The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Common Consequences: Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

Related Weaknesses: CWE-334Small Space of Random Values

Release Date:
2006-07-19

Latest Modification Date:
2023-06-29

Top Security News

Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations

Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations

Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks

Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks

Black Basta ransomware gang's internal chat logs leak online

Black Basta ransomware gang's internal chat logs leak online

EncryptHub breaches 618 orgs to deploy infostealers, ransomware

EncryptHub breaches 618 orgs to deploy infostealers, ransomware

SonicWall firewall bug leveraged in attacks after PoC exploit release

SonicWall firewall bug leveraged in attacks after PoC exploit release

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks

U.S. recovers $31 million stolen in 2021 Uranium Finance hack

U.S. recovers $31 million stolen in 2021 Uranium Finance hack

Beware: PayPal "New Address" feature abused to send phishing emails

Beware: PayPal "New Address" feature abused to send phishing emails

Top Alert List

Content Security Policy (CSP) Header Not Set

MediumMissing Anti-clickjacking Header

MediumAbsence of Anti-CSRF Tokens

MediumContent Security Policy (CSP) Header Not Set

InformationalInformation Disclosure - Suspicious Comments

LowCross-Domain JavaScript Source File Inclusion

HighPII Disclosure

InformationalRe-examine Cache-control Directives

MediumCross-Domain Misconfiguration

Top CVE List

CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability

CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability

CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability

CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability

CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability

CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability

CVE-2017-6736 Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability

CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability

CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

CVE-2017-3881 Cisco IOS and IOS XE Remote Code Execution Vulnerability

Common CWEs

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

LowCWE-1038 Insecure Automated Optimizations

CWE-237 Improper Handling of Structural Elements

CWE-528 Exposure of Core Dump File to an Unauthorized Control Sphere

CWE-1176 Inefficient CPU Computation

CWE-939 Improper Authorization in Handler for Custom URL Scheme

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

CWE-623 Unsafe ActiveX Control Marked Safe For Scripting

HighCWE-500 Public Static Field Not Marked Final

MediumCWE-364 Signal Handler Race Condition

Free online web security scanner

Don't show website scan report rating on the leaderboard