Exposing the session identifier in a URL is an example of which web application-specific risk?

Exposing thesession identifier in a URLis a classic example of anidentification and authentication failurebecause:

Session Hijacking Risk:Attackers can intercept session IDs when exposed in URLs, especially through techniques likereferrer header leaksorlogs.

Session Fixation:If the session ID is predictable or accessible, attackers can force a user to log in with a known ID.

OWASP Top Ten 2021 - Identification and Authentication Failures (A07):Exposing session identifiers makes it easier for attackers to impersonate users.

Secure Implementation:Best practices dictate storing session IDs inHTTP-only cookiesrather than in URLs to prevent exposure.

Other options analysis:

A. Cryptographic failures:This risk involves improper encryption practices, not session management.

B. Insecure design and implementation:Broad category, but this specific flaw is more aligned with authentication issues.

D. Broken access control:Involves authorization flaws rather than authentication or session handling.

CCOA Official Review Manual, 1st Edition References:

Chapter 4: Web Application Security:Covers session management best practices and related vulnerabilities.

Chapter 8: Application Security Testing:Discusses testing for session-related flaws.