Bug #79: [Security Audit ] 14 -Improper Session Management / Session Expiration too longer - E-Arogya - Redmine

Actions

Copy link

Bug #79

closed

Feature #65: Security Audit

[Security Audit ] 14 -Improper Session Management / Session Expiration too longer

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Vasu Malladi

Category:

Target version:

Security Audit

Start date:

17/04/2024

Due date:

% Done:

Estimated time:

Deployed In:

Category:

Description

14- Improper Session Management / Session Expiration too longer
CWE : CWE-613
Description :
In this application a single fixed token is in use for single user, token expiry time also
too longer.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
It helps the attackers to submit without any authentication.
Recommendation :
It is recommended to maintain session id after login and destroy it after logout.
Reference Link: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_
Cheat_Sheet.html
Evidence/Proof Of Concept :
Step 1: Login to the application with any user.And Capture the request.Here application
using the JWT token for user token as shown as below screenshot.

Step 2: Now, observe the expiration token of the JWT token. It is noticed that expiration time of the token was too long as shown in below screenshot.

Files

Download all files

clipboard-202404171554-zb0b4.png (109 KB) clipboard-202404171554-zb0b4.png		Kalyan Battula, 17/04/2024 03:54 PM
clipboard-202404171555-wgpwd.png (69.8 KB) clipboard-202404171555-wgpwd.png		Kalyan Battula, 17/04/2024 03:55 PM