Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2254

"HttpServletRequest.getRequestedSessionId()" should not be used

    Details

    • Message:
      Remove the use of this insecure "getRequestedSessionId()" method.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-807
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      SERVLET_SESSION_ID

      Description

      According to the Oracle Java API, the HttpServletRequest.getRequestedSessionId() method:

      Returns the session ID specified by the client. This may not be the same as the ID of the current valid session for this request. If the client did not specify a session ID, this method returns null.

      The session ID it returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually updating the value of this session ID in the HTTP request.

      Here is an example of a updated HTTP header:

      GET /pageSomeWhere HTTP/1.1
      Host: webSite.com
      User-Agent: Mozilla/5.0
      Cookie: JSESSIONID=Hacked_Session_Value'''">
      

      Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions.

      Noncompliant Code Example

      if(isActiveSession(request.getRequestedSessionId()) ){
        ...
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: