How do we fix "Information Leak in URL parameter"?

Aug 14, 2009 at 10:26 PM

I posted this bug against my product, and my dev team is asking how we would fix the bug. Do you have any guidance here? Would it be solved by putting it as a POST parameter? Doesn't this information still leak in a MITM attack regardless of where we put it in transport?

"1) A(n) 'sessionid' seems to have been found with the value:

sessionId=36.908e1a09-34e0-4139-adef-dfb22726caf2224.1.....5.en-US5.en-US73.+0480#0000-11-00-01T02:00:00:0000#+0000#0000-03-00-02T02:00:00:0000#-006036.b7138c4c-a49d-4dfe-9ff5-8ba194ce8bc624.k2C0JxtVFEuoEnrz3J801Q=="

 

Coordinator
Aug 14, 2009 at 11:36 PM

The sessionId would be better protected as a cookie.  URL's are bad places for sensitive data because of the many places they get stored - proxy and web server logs, browser history, etc.  A cookie or POST parameter serve as better mediums for transmitting sensitive data.

You're right, if the transport is not protected with SSL, the the sessionId would be exposed to MITM no matter which part of the request it was in.  However still, URL's expose data much more than cookies or POST parameters.

I'm in the process of adding recommendations to each of the findings Watcher reports in prepartion of our 1.3 release in the next few weeks.