ASP.NET Cookieless Session State Enabled

low Web App Scanning Plugin ID 114610

Language:

Synopsis

ASP.NET Cookieless Session State Enabled

Description

.NET Framework offers an alternative to cookie based session management named 'cookieless' by allowing developers to store the session ID directly in URLs rather than in cookies. When enabled, this feature can be abused to make session hijacking attacks easier to exploit or to craft valid URLs in order to bypass security mechanisms such as Web Application Firewalls (WAFs) or path based restrictions.

Solution

Ensure that .NET Cookieless feature is disabled by forcing the value of the 'cookieless' attribute of the <sessionState> configuration to 'UseCookies'.

See Also

https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479314(v=msdn.10)

https://www.sans.org/blog/session-attacks-and-asp-net-part-2/

Plugin Details

Severity: Low

ID: 114610

Type: remote

Family: Web Applications

Published: 3/3/2025

Updated: 3/3/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 16, 598

OWASP: 2010-A6, 2010-A9, 2013-A5, 2013-A6, 2017-A3, 2017-A6, 2021-A4, 2021-A5

WASC: Application Misconfiguration, Insufficient Transport Layer Protection

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

OWASP ASVS: 4.0.2-3.1.1

PCI-DSS: 3.2-6.5.4