SESSION/URL REWRITING

Feature Value
Type Detection
Risk OWASP A2
Covered by Agent

URL rewriting is the technique of transporting the Session ID within a Unified Resource Locater better known as a URL.

Unlike an HTTP header, which transports cookies, a session ID in a URL can be disclosed in many ways.

For example:

If the session id is not renewed after the login, URL rewriting can also be used for another attack: Session Fixation. Here, an attacker goes to the site and grabs a URL, such as http://mysite/login;jsessionid=123 and sends it in some way (such as an email) to his victim. After the victim logs in, the attacker will have full access to the victim’s session.

The good thing with URL rewriting however, is that session tracking is now controlled by the server and application respectively.

More information

How to solve it

Consider the following additional controls: