Session Token in URL Vulnerability

The HTTP protocol and web servers are stateless by nature. This means that there is no way for them to track user activity. The web server treats every request as a new one. For this reason, browsers and web servers need to use session tokens.

Session tokens are unique pieces of information shared between the browser and the server. They make it possible to track user activity and differentiate between users. For example, an e-commerce application may use a session token to identify the shopping cart that belongs to a particular user.

There are different ways to share session tokens. They are most commonly included in cookies but alternative methods are quite widespread as well. Such methods include sending the session tokens directly in URLs, in dynamically rewritten URLs, or hidden in the HTML source of the web page. These methods are also often combined and on the rise because users often disable cookies in web browsers due to privacy concerns.

Why Is Using Session Tokens in URLs a Bad Idea?

The easiest method of sharing session tokens is placing one directly in the URL, for example, Using such an URL, a user who was authenticated earlier can access their account. This method is not inherently insecure but if the session token is not validated by the server, it could lead to potentially high-risk vulnerabilities.

If you place a session token directly in the URL, it increases the risk of an attacker capturing and exploiting it. Anyone who follows that URL inherits the session. When you connect to the web server using HTTPS the risk is less than if you use HTTP but it is still a threat.

HTTPS URLs are encrypted during transmission but they are often stored in server logs. Anyone who gains access to the logs can exploit these tokens. In the worst case, this can lead to session fixation or session hijacking. Therefore, even though we classify the Session Token in URL vulnerability as low severity, you should not take it lightly.

What Are the Alternatives?

Applications should use alternative methods of sharing session tokens, for example, HTTP cookies. You should also encrypt such applications because it is possible to retrieve session tokens from unencrypted applications.

If you cannot use cookies, you can send session tokens using hidden input fields. Unfortunately, this is also not foolproof. Attackers may explore the HTML source code to identify and hack hidden fields used to send these tokens.

Bernhard Abele
Technical Support Engineer Acunetix.
Bernhard Abele is an Operations Engineer working for Acunetix. He's a Bachelor of Science (Hons.) in Computer Systems and Networking and has a technical background with over 3 years of technical support experience.