Exposing the session identifier in a URL is a classic example of an identification and authentication

failure because:

Session Hijacking Risk: Attackers can intercept session IDs when exposed in URLs, especially through

techniques like referrer header leaks or logs.

Session Fixation: If the session ID is predictable or accessible, attackers can force a user to log in with

a known ID.

OWASP Top Ten 2021 - Identification and Authentication Failures (A07): Exposing session identifiers

makes it easier for attackers to impersonate users.

Secure Implementation: Best practices dictate storing session IDs in HTTP-only cookies rather than in

URLs to prevent exposure.

Other options analysis:

A . Cryptographic failures: This risk involves improper encryption practices, not session management.

B . Insecure design and implementation: Broad category, but this specific flaw is more aligned with

authentication issues.

D . Broken access control: Involves authorization flaws rather than authentication or session

handling.

CCOA Official Review Manual, 1st Edition Reference:

Chapter 4: Web Application Security: Covers session management best practices and related

vulnerabilities.

Chapter 8: Application Security Testing: Discusses testing for session-related flaws.