Title

The API must protect Session IDs via encryption. (Cat II impact)

Discussion

Encrypting Session IDs protects them from interception and unauthorized access, preventing session hijacking and ensuring the confidentiality and integrity of user sessions.

Check Content

Verify the API protects Session IDs. Review the API documentation and configuration. Interview the API administrator and obtain implementation documentation identifying system architecture. Identify the API communication paths. This includes system-to-system communication and client-to-server communication that transmit session identifiers over the network. Have the API administrator identify the methods and mechanisms used to protect the API session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel. The protections must be implemented on a point-to-point basis based upon the architecture of the API. For example, a web API hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from API server to API server (if applicable) and API server to database as well. If the API session IDs are unencrypted across network segments, this is a finding.

Fix Text

Build or configure the API to protect session IDs from interception or from manipulation.

Additional Identifiers

Rule ID: SV-274600r1143633_rule

Vulnerability ID: V-274600

Group Title: SRG-APP-000219

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.