Mitre's Common Weakness Enumeration (CWE) is the most comprehensive and granular taxonomy for web application security vulnerabilities and weaknesses. So why, may I ask, is there no CWE ID for Session ID Exposed in URL?
Am I missing something?
Sure, we have CWE-384 (Session Fixation), but that's not the issue. Session fixation in my experience is much more rare (and dangerous) compared to a session ID exposed in a URL.
Some might suggest CWE-287 (Improper Authentication) is the best fit. That's a tough sell. I don't buy it.
The closest one in my opinion must be CWE-598 (Information Exposure Through Query Strings in GET Request). It's not a perfect fit, but the consequences section does refer to "impersonating a legitimate user". That's a true risk for sure.
At this stage of the game, we probably won't see a CWE ID specific to Session ID Exposed in URL. It seems like a no-brainer, but oh well.
