目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-6 J2EE误配置:会话ID长度不充分 类漏洞列表 1

CWE-6 J2EE误配置:会话ID长度不充分 类弱点 1 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-6属于J2EE配置不当导致的会话标识符长度不足漏洞。当会话ID生成规则过于简单或长度过短时,攻击者可通过暴力猜测或窃取方式获取有效ID,进而实施会话劫持,非法接管用户会话并访问敏感数据。为避免此类风险,开发者应确保会话ID具有足够的随机性和长度,通常建议至少使用128位熵值,并严格遵循安全编码规范,防止会话固定或预测攻击。

MITRE CWE 官方描述
CWE:CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length 英文:The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
常见影响 (1)
Access ControlGain Privileges or Assume Identity
If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
缓解措施 (2)
ImplementationSession identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.
ImplementationA lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a la…
代码示例 (1)
The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.
<sun-web-app> ... <session-config> <session-properties> <property name="idLengthBytes" value="8"> <description>The number of bytes in this web module's session ID.</description> </property> </session-properties> </session-config> ... </sun-web-app>
Bad · XML
CVE ID标题CVSS风险等级Published
CVE-2018-12538 Eclipse Jetty 授权问题漏洞 — Eclipse Jetty 8.3 -2018-06-22

CWE-6(J2EE误配置:会话ID长度不充分) 是常见的弱点类别,本平台收录该类弱点关联的 1 条 CVE 漏洞。