Symptom
It was carried out a security inspection on the career site and it was found a vulnerability that could allow an action called SESSION HIJACKING.
Environment
- SAP SuccessFactors Recruiting Management (RCM)
- SAP SuccessFactors Recruiting Marketing (RMK)
Resolution
Session hijacking is an attack where a user session is taken over by an attacker. A session starts when you log into a service, for example your Candidate Profile, and ends when you log out. The attack relies on the attacker’s knowledge of your session cookie, so it is also called cookie hijacking or cookie side-jacking.
SuccessFactors has relevant mechanism to keep the cookie safe. It means if the attacker was not able to get the victim’s cookie, the attacker won't have a chance to reuse the cookie and information contained on it.
Keywords
Session, Hijacking, Cookie, Candidate, Profile, RCM, Recruiting, RMK , KBA , LOD-SF-RCM-POR , Career and Agency Portals , LOD-SF-RCM , Recruiting Management , LOD-SF-RMK , Recruiting Marketing , Problem