Burp Suite User Forum

Create new post

"Session token in URL" false positive

Andrii | Last updated: Apr 17, 2016 08:42AM UTC

Hi, Burp Scanner v1.6.38 gave me false positive for "Session token in URL" without any reason, as I think. Take a look at following excerpt from report: https://drive.google.com/file/d/0B3mWggDv3CKZX0IzaDVfVUYzM1U/view?usp=sharing (you should open it with "HTML Editey" app or download to your file system).

PortSwigger Agent | Last updated: Apr 18, 2016 07:59AM UTC

Agreed this is a false positive. It looks like Burp was confused by the appearance of the word "session" within a URL parameter name that was doing something else.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.