SV.IL.SESSION.CLIENT
HttpServletRequest.getRequestedSessionId method should not be used
Klocwork reports a SV.IL.SESSION.CLIENT defect when the HttpServletRequest.getRequestedSessionId() method is used.
Vulnerability and risk
According to the Oracle Java API, the HttpServletRequest.getRequestedSessionId() method, "Returns the session ID specified by the client. This may not be the same as the ID of the current valid session for this request. If the client did not specify a session ID, this method returns null."
The session ID the method returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually updating the value of this session ID in the HTTP request.
Here is an example of a updated HTTP header:
GET /pageSomeWhere HTTP/1.1
Host: webSite.com
User-Agent: Mozilla/5.0
Cookie: JSESSIONID=Hacked_Session_Value'''">
Because the end-user can manually change the value, the session ID in the request should only be used by a servlet container (for example, Tomcat or Jetty) to see if the value matches the ID of an existing session. If the session ID doesn't match, the user should be considered unauthenticated.
Mitigation and prevention
Do not use the HttpServletRequest.getRequestedSessionId method. Instead, generate a fresh session ID when a user logs in.
Vulnerable code example 1
import javax.servlet.http.*;
import javax.servlet.*;
import java.security.*;
import java.io.*;
class Test{
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String id = request.getRequestedSessionId();
if(authenticate(id)) {
...
}
}
}
Klocwork reports an SV.IL.SESSION.CLIENT defect on line 8, indicating, "Session id provided by client can manually be changed which updates this value in HttpRequest."
External guidance
- CERT MSC11-J: Do not let session information leak within a servlet
- CWE-807: Reliance on Untrusted Inputs in a Security Decision
- OWASP A2:2017 Broken Authentication
- OWASP A4:2021 Insecure Design
- V-222578 (APSC-DV-002240): The application must destroy the session ID value and/or cookie on logoff or browser close.
Security training
Application security training materials provided by Secure Code Warrior.