SSRS 2016 allows the display of sensitive parameter in its URL such as Session state token

Ismael González Briongos 1 Reputation point
2020-08-20T09:17:11.547+00:00

SSRS 2016 allows the display of sensitive parameter in its URL, such as Session state token.
This can be used to manipulate the data being displayed allowing other resources information be visible to other users.

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,940 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ZoeHui-MSFT 37,671 Reputation points
    2020-08-21T02:05:56.397+00:00

    Hi,

    I assume that you're concerned about security of SSRS.

    I'm not familiar with session,state,token.

    However I find some official documentations for you.

    Reporting Services uses role-based security to grant user access to a report server. On a new report server installation, only users who are members of the local Administrators group have permissions to report server content and operations.

    To make the report server available to other users, you must create role assignments that map user or group accounts to a predefined role that specifies a collection of tasks.

    Which means if you do not have the permission of the report, you can't see the resources in the report server.

    Nor can you access other reports by modifying the parameter of the url.

    grant-user-access-to-a-report-server

    granting-permissions-on-a-native-mode-report-server

    There is also an extended protection for Authentication with Reporting Services.

    extended-protection-for-authentication-with-reporting-services

    Regards,

    Zoe


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.