CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length

CWE-6

Abstraction:
Variant

Structure:
Simple

Status:
Incomplete

Weakness Name: J2EE Misconfiguration: Insufficient Session-ID Length

Description: The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Common Consequences: Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

Related Weaknesses: CWE-334Small Space of Random Values

Release Date:
2006-07-19

Latest Modification Date:
2023-06-29

Free security scan for your website

Don't show website scan report rating on the leaderboard