Concurrent Logins
Concurrent Logins
Overview of the Vulnerability
Having multiple concurrent logins can allow an attacker to reuse stolen or acquired session tokens to hijack requests. Old sessions are commonly found in open source intelligence efforts or through sniffed requests via Person-in-The-Middle (PitM) attacks. An attacker can use previously acquired sessions to exploit the privacy of a user of this application by continually accessing their account.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Login to the application
Using an incognito tab or another browser, login using the same credentials
Observe that both sessions remain valid
Proof of Concept (PoC)
The screenshots below show the concurrent logins:
{{screenshot}}
Recommendation(s)
The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
For further information, please see: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons
Last updated