I'm applying for a program through organization X's website. I logged in, and was astounded to find a URL like this:
https://www.whatever.org/application?session=80_CHARACTER_HASH
80 characters in [0-9a-f]
gives 1680 =~ 2.14 × 1096 combinations.
So I deleted the hash and reloaded the page, lo and behold, I got a 403 Unauthorized
response. Changing the hash also causes a 403
. Lastly the hash changes on re-login, so I think it's safe to assume that a hash is generated, stored in the database for the user, and then appended to the querystring and checked on page load to find the correct user record in the database.
All pages inside user-specific pages require the session
parameter to be correct. I don't know if/when login expires, I haven't sat around idle to find out.
To verify that this is a problem, I opened a new incognito window, copy/pasted the URL, and I had access to my account and application information.
Some problems that I can think of:
- Copy/pasting your live session through URL sharing
- The URL could be bruteforced (though it would be pretty hard to stumble across a valid hash)
- The URL is in various logs (firewall, server, 3rd party aggregating services, etc.)
What are the risks of storing a user's session in querystring parameters?