Insecure Usage of Version 1 GUID

Severity: Information

Summary#

Invicti detected that the application is using a version 1 GUID (often called UUID) in the cookie. UUIDs are just 128-bit pieces of data, that are displayed as (128/4) = 32 hexadecimal digits, like this: ba6eb330-4f7f-11eb-a2fb-67c34e9ac07c

Impact#

The GUID is generated in a predictable manner based on:

The current time
A randomly generated "clock sequence" which remains constant between GUIDs during the uptime of the generating system
A "node ID", which is generated based on the system's MAC address if it is available

Remediation#

Affected applications should update to version 4 of GUID.

Classifications#

OWASP 2017-A3, OWASP 2013-A9, CWE-328, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Related Vulnerabilities

Insecure Usage of Version 1 GUID

Related Articles

Build your resistance to threats. And save hundreds of hours each month.