Article - CS376503
Session ID/Token in passed within the URL when accessing certain resources on ThingWorx Platform
Modified: 16-Sep-2022
Applies To
- ThingWorx Platform 8.5 to 9.3
Description
- Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the WebServer
- ThingWorx Platform Session ID is stored as a cookie and the low level users are able to get highest privilege access using this Session ID
- ThingWorx is vulnerable to Session Token hijacking
- Having the Session Token in the URL exposes a user to the risk of having their session hijacked if traffic
were to be captured by an attacker - Placing Session Tokens into the URL increases the risk that they will be captured by an attacker.
- ThingWorx Platform should not present the Session ID within the URL when accessing resources
This is a printer-friendly version of Article 376503 and may be out of date. For the latest version click CS376503