1. Authentication
  1. Brute Force

  2. Insufficient Authentication

  3. Weak Password Recovery Validation

2. Authorization
  1. Credential/Session Prediction

  2. Insufficient Authorization

  3. Insufficient Session Expiration

  4. Session Fixation

3. Client-side Attacks
  1. Content Spoofing

  2. Cross-site Scripting

4. Command Execution
  1. Buffer Overflow
  2. Format String Attack
  3. LDAP Injection
  4. OS Commanding
  5. SQL Injection
  6. SSI Injection
  7. XPath Injection
5. Information Disclosure
  1. Directory Indexing

  2. Information Leakage

  3. Path Traversal

  4. Predictable Resource Location

6. Logical Attacks
  1. Abuse of Functionality

  2. Denial of Service

  3. Insufficient Anti-automation

  4. Insufficient Process Validation

Insufficient Session Expiration

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a web site's exposure to attacks that steal or impersonate other users.

Since HTTP is a stateless protocol, web sites commonly use session IDs to uniquely identify a user from request to request. Consequently, each session ID's confidentiality must be maintained in order to prevent multiple users from accessing the same account. A stolen session ID can be used to view another user's account or perform a fraudulent transaction.

The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.

A long expiration time increases an attacker's chance of successfully guessing a valid session ID. The long length of time increases the number of concurrent and open sessions, which enlarges the pool of numbers an attacker might guess.

In a shared computing environment (more than one person has unrestricted physical access to a computer), Insufficient Session Expiration can be exploited to view another user's web activity. If a web site's logout function merely sends the victim to the site's home page without ending the session, another user could go through the browser's page history and view pages accessed by the victim. Since the victim's session ID has not been expired, the attacker would be able to see the victim's session without being required to supply authentication credentials.

"Dos and Don'ts of Client Authentication on the Web", Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster - MIT Laboratory for Computer Science http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Insufficient Session Expiration attack vulnerability test.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED