A recent penetration test on my app raised the following issue:
"A session identifier was observed to be disclosed within a URL parameter. Sensitive information contained within URLs may be logged in various locations, including user browsers, web servers, and any forward or reverse proxy servers between communication endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may also be disclosed to third parties via the ‘Referer’ header when any off-site links are followed. This is an OWASP top 10 vulnerability.
The host was identified to disclose session token via the ‘token’ parameter in a GET request. Furthermore, the ‘okta_key’ value was also observed to be transmitted.
Sample Request:GET /login/sessionCookieRedirect?checkAccountSetupComplete=true&token=[REDACTED]&redirectUrl=https%3A%2F%2F[REDACTED]%2Foauth2%2Fv1%2Fauthorize%2Fredirect%3Fokta_key%3D[REDACTED]HTTP/2Host: [REDACTED]Cookie: JSESSIONID=0FF50B952B96AB5B0B110645CC8AFD2B; t=default; DT=DI0khjXly6LQ8KGHQrr1qecAgUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://[REDACTED]/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=[REDACTED]"
Is there anyway to prevent this?
Thanks