Long Timeout
Failure to Invalidate Sessions via Long Timeout
Overview of the Vulnerability
Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. Due to the application’s long timeout expiration on sessions, an attacker has a longer window of opportunity to use valid user sessions maliciously.
An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Sign into a user’s account
Capture any authenticated request
Wait for 10 mins
Replay the request using the HTTP interception proxy
Observe that the application responds to the request
Proof of Concept (PoC)
The screenshot below shows the the application failing to invalidate the session:
{{screenshot}}
Recommendation(s)
The application should monitor and alert the user to concurrent login events and provide the user a way to logout of other sessions than their current login.
For further information, please see: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons
Last updated