The configuration in /WEB-INF/web.xml specified a session timeout value greater than 30 minutes in the following configuration:
10: <!-- This app is cluster-ready -->
11: <distributable />
12:
13: <!-- Set timeout to 120 minutes -->
14: <session-config>
15: <session-timeout>120</session-timeout>
16: </session-config>
17:
18: <context-param>
19: <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
What's the risk?
The application has specified a session timeout value greater than 30 minutes. Most sensitive applications in banking, trading and other sensitive industries tend to specify session timeouts between 15 and 30 minutes.
Longer session timeouts make it easier for cross-user web attacks like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) more likely to be successful, because users' sessions, which attackers require to be active for their exploits to work, are around longer.
Recommendation
Decreasing your session timeout is easy. Simply specify a reasonable value in your application's web.xml file, like in this example:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Contrast expects to see a timeout value less than or equal to 30 minutes. The value you choose should depend on your risk tolerance and the nature of the application. Consider the following questions when deciding your timeout value:
* Do your users use this application from work, home or both?
* Would a user use this application from a kiosk? A friend's computer?
* Is there financial incentive for a random person who stumbles upon a user's logged in session to access the user's account?
* How critical is this application to the business? To your users' life or well-being?
Vulnerability ID: NW1K-JFL4-1PEN-MTBB
Application Name: Pluto
Application Code: PLANET
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/0f9338c6-352f-418b-9d89-696406640d91/vulns/NW1K-JFL4-1PEN-MTBB
What Happened?
The configuration in /WEB-INF/web.xml specified a session timeout value greater than 30 minutes in the following configuration:
10: <!-- This app is cluster-ready --> 11: <distributable /> 12: 13: <!-- Set timeout to 120 minutes --> 14: <session-config> 15: <session-timeout>120</session-timeout> 16: </session-config> 17:
18: <context-param> 19: <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
What's the risk?
The application has specified a session timeout value greater than 30 minutes. Most sensitive applications in banking, trading and other sensitive industries tend to specify session timeouts between 15 and 30 minutes. Longer session timeouts make it easier for cross-user web attacks like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) more likely to be successful, because users' sessions, which attackers require to be active for their exploits to work, are around longer.
Recommendation
Decreasing your session timeout is easy. Simply specify a reasonable value in your application's web.xml file, like in this example: <session-config> <session-timeout>30</session-timeout> </session-config>
Contrast expects to see a timeout value less than or equal to 30 minutes. The value you choose should depend on your risk tolerance and the nature of the application. Consider the following questions when deciding your timeout value:
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management