Project

General

Profile

Actions
Copy link

Bug #79

closed

Feature #65: Security Audit

[Security Audit ] 14 -Improper Session Management / Session Expiration too longer

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Vasu Malladi
Category:
-
Target version:
Security Audit
Start date:
17/04/2024
Due date:
% Done:

0%

Estimated time:
Deployed In:
Category:

Description

14- Improper Session Management / Session Expiration too longer
CWE : CWE-613
Description :
In this application a single fixed token is in use for single user, token expiry time also
too longer.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
It helps the attackers to submit without any authentication.
Recommendation :
It is recommended to maintain session id after login and destroy it after logout.
Reference Link: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_
Cheat_Sheet.html
Evidence/Proof Of Concept :
Step 1: Login to the application with any user.And Capture the request.Here application
using the JWT token for user token as shown as below screenshot.

Step 2: Now, observe the expiration token of the JWT token. It is noticed that expiration time of the token was too long as shown in below screenshot.

Files

Download all files
clipboard-202404171554-zb0b4.png (109 KB) clipboard-202404171554-zb0b4.png Kalyan Battula, 17/04/2024 03:54 PM
clipboard-202404171555-wgpwd.png (69.8 KB) clipboard-202404171555-wgpwd.png Kalyan Battula, 17/04/2024 03:55 PM
Actions
Copy link

Also available in: Atom PDF