Session ID in URL (Via URL Rewrite)
What is it?
This is done by rewriting the original API URL with a new URL that has the session ID as a query parameter.
This is insecure as URLs can be cached, logged, and are generally visible in the browser. So any URL that has a secret (session ID) is likely to leak the secret, and lead to account takeover, etc.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for redirects to rewritten URLs that have session IDs embedded as query parameters.
What is the solution?