Project

General

Profile

Actions
Copy link

Feature #256

open

Feature #235: [Security Audit Round 2 ]

[Security Audit Round 2 ] Improper Session Management / Session Expiration too longer (Repeated)

Added by Kalyan Battula 12 months ago. Updated 11 months ago.

Status:
Ready for Prod
Priority:
High
Assignee:
Harish Beechani
Category:
-
Target version:
Security Audit
Start date:
01/05/2024
Due date:
% Done:

0%

Estimated time:
Deployed In:
Category:

Description

Improper Session Management / Session Expiration too longer (Repeated)
observation : Repeated
CWE : CWE-613
Description :
In this application a single fixed token is in use for single user, token expiry time also
too longer.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
It helps the attackers to submit without any authentication.
Evidence/Proof Of Concept :
Step 1: Login to the application with any user.And Capture the request.Here application
using the JWT token for user token as shown as below screenshot.

Step 2: Now, observe the expiration token of the JWT token. It is noticed that expiration time
of the token was too long as shown in below screenshot.

Recommendation :
It is recommended to maintain session id after login and destroy it after logout.
Reference Link: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_
Cheat_Sheet.htm

Files

Download all files
clipboard-202405011252-t5xtj.png (107 KB) clipboard-202405011252-t5xtj.png Kalyan Battula, 01/05/2024 12:52 PM
clipboard-202405011252-64u3c.png (88.9 KB) clipboard-202405011252-64u3c.png Kalyan Battula, 01/05/2024 12:52 PM
Actions
Copy link

Also available in: Atom PDF