You need two browsers for exploitation
1)Go to users settings in both the browsers
2)update your password in one browser and click on save
3)Now move to other browser and try to add some information like name and all.
i.e it is not asking for reauthentication after password change..
The other browser doesnt log you out because of password change..Thus an attacker can edit any information...
If an attacker had already logged in once..No matter how many times the victim changes his password,
the attacker would be able to access the victim's account.
Session Management Issue in Users tab
link: http://localhost/monstra/users/1/edit
You need two browsers for exploitation 1)Go to users settings in both the browsers 2)update your password in one browser and click on save 3)Now move to other browser and try to add some information like name and all.
i.e it is not asking for reauthentication after password change..
The other browser doesnt log you out because of password change..Thus an attacker can edit any information... If an attacker had already logged in once..No matter how many times the victim changes his password, the attacker would be able to access the victim's account.
Refer to owasp for session management