Encrypting Session IDs protects them from interception and unauthorized access, preventing session hijacking and ensuring the confidentiality and integrity of user sessions.
Check
Verify the API protects Session IDs.
Review the API documentation and configuration.
Interview the API administrator and obtain implementation documentation identifying system architecture.
Identify the API communication paths. This includes system-to-system communication and client-to-server communication that transmit session identifiers over the network.
Have the API administrator identify the methods and mechanisms used to protect the API session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel.
The protections must be implemented on a point-to-point basis based upon the architecture of the API.
For example, a web API hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from API server to API server (if applicable) and API server to database as well.
If the API session IDs are unencrypted across network segments, this is a finding.
Fix
Build or configure the API to protect session IDs from interception or from manipulation.