Bug #79
closedFeature #65: Security Audit
[Security Audit ] 14 -Improper Session Management / Session Expiration too longer
0%
Description
14- Improper Session Management / Session Expiration too longer
CWE : CWE-613
Description :
In this application a single fixed token is in use for single user, token expiry time also
too longer.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
It helps the attackers to submit without any authentication.
Recommendation :
It is recommended to maintain session id after login and destroy it after logout.
Reference Link: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_
Cheat_Sheet.html
Evidence/Proof Of Concept :
Step 1: Login to the application with any user.And Capture the request.Here application
using the JWT token for user token as shown as below screenshot.
Step 2: Now, observe the expiration token of the JWT token. It is noticed that expiration time of the token was too long as shown in below screenshot.
Files
Updated by Vasudev Mamidi about 1 year ago
- Status changed from New to In Progress
Updated by Vasudev Mamidi about 1 year ago
- Status changed from In Progress to Resolved
Updated by Sivakanth Kesiraju about 1 year ago
- Target version set to Sprint 1 (29th April - 3rd May)
Updated by Sivakanth Kesiraju about 1 year ago
- Target version changed from Sprint 1 (29th April - 3rd May) to Security Audit