Medium OWASP Session Management Testing Insufficient Session Expiration occurs when a Web application permits an attacker to reuse old session credentials or session IDs for authorization. ... The lack of proper session expiration may increase the likelihood of success of certain attacks The lack of proper session expiration may increase the likelihood of success of certain attacks. A long expiration time increases an attacker's chance of successfully guessing a valid session ID A web application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible. 1. We logged into the Vulnerable URL and noticed that Session doesn't time out even after long period of inactivity. Proof of Concepts is attached along with this Tracker. Find out how session is timed out and set a lower value for testing
petmongrels
commented
3 years ago
Medium OWASP Session Management Testing Insufficient Session Expiration occurs when a Web application permits an attacker to reuse old session credentials or session IDs for authorization. ... The lack of proper session expiration may increase the likelihood of success of certain attacks The lack of proper session expiration may increase the likelihood of success of certain attacks. A long expiration time increases an attacker's chance of successfully guessing a valid session ID A web application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible. 1. We logged into the Vulnerable URL and noticed that Session doesn't time out even after long period of inactivity. Proof of Concepts is attached along with this Tracker. Find out how session is timed out and set a lower value for testing
Estimate: 2