We found that the JSON Web Token (JWT) was passed to the server as a part of the URL path, as the following HTTP request demonstrates:

Implication and Impact

The session identifier in the URL may be potentially leaked at several locations: browser history, HTTP log
files, network appliances, and Referrer headers if the given site links to an external site. Thus, the exposed
session identifier may be stolen; therefore, an attacker could impersonate a valid user session; accordingly,
the attacker might steal and modify sensitive data stored in the application. An attacker needs to have
access to a URL containing a session identifier to exploit this issue.

Affected resources

• https://XXX.com:444

Recommendations

Consider removing session tokens as URL path parameters from all the affected requests. Also, consider the following:

• Implement alternative mechanisms for transmitting session tokens, such as HTTP cookies or hidden fields in forms submitted using the POST method.
• Use JWT tokens for authorization, not for sessions.
• Store the JWT token in cookies for web applications.