Session hijacking -> Insufficient Session Expiration

Session hijacking -> Insufficient Session Expiration

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

Exploitation

This webapp permits a user to reuse his session id after logout, it supposed to invalidate session id of a user when he logs out from his account.

Let’s logout from the account by clicking on this link here.

Now we have logged out from the account. To reuse our old session id, we will click on back <- in the browser to go back to our previous page and then refresh the page to determine whether or not we are still logged in.

As you can see we were able to login after we logged out from the account, This means it was’nt invalidating the session after logout.

References

• https://cwe.mitre.org/data/definitions/613.html
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html