SSRS 2016 allows the display of sensitive parameter in its URL such as Session state token

asked 2020-08-20T09:17:11.547+00:00
Ismael González Briongos 1 Reputation point

SSRS 2016 allows the display of sensitive parameter in its URL, such as Session state token.
This can be used to manipulate the data being displayed allowing other resources information be visible to other users.

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,093 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2020-08-21T02:05:56.397+00:00
    ZoeHui-MSFT 18,671 Reputation points Microsoft Employee

    Hi,

    I assume that you're concerned about security of SSRS.

    I'm not familiar with session,state,token.

    However I find some official documentations for you.

    Reporting Services uses role-based security to grant user access to a report server. On a new report server installation, only users who are members of the local Administrators group have permissions to report server content and operations.

    To make the report server available to other users, you must create role assignments that map user or group accounts to a predefined role that specifies a collection of tasks.

    Which means if you do not have the permission of the report, you can't see the resources in the report server.

    Nor can you access other reports by modifying the parameter of the url.

    grant-user-access-to-a-report-server

    granting-permissions-on-a-native-mode-report-server

    There is also an extended protection for Authentication with Reporting Services.

    extended-protection-for-authentication-with-reporting-services

    Regards,

    Zoe