Weak Session ID Analyzer
Configuration Name: BUAWeakSessionID
Description
Session IDs are a critical mechanism of authentication and authorization in some applications. OWASP classifies Broken User Authentication as #2 in its 2019 API Security Top 10 (API2:2019).
The BUAWeakSessionID analyzer checks for presence of weak session IDs that
are predictable or easy to guess by an attacker, such as IDs that are
too short (fewer than 16 characters), sequential, or contain low entropy (such
as not using a large enough character set).
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-330 | Broken User Authentication - Weak Session ID | Service uses weak session IDs that are predictable, have low entropy, or are vulnerable to brute force attacks. Weak session IDs can be easily guessed or enumerated, allowing attackers to hijack user sessions. | Use cryptographically secure random number generators to create session IDs. Ensure ses sion IDs are at least 128 bits (32 hex characters or equivalent). Use a mix of uppercase, lowercase, digits, and special char acters. Implement proper session rotation and timeout mechanisms. Refer to CWE-330 and CWE-331 for best practices. | medium - high |