1. Authentication
- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
2. Authorization
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
|
|
Insufficient Session Expiration
Insufficient Session Expiration is when a web site permits an attacker
to reuse old session credentials or session IDs for authorization.
Insufficient Session Expiration increases a web site's exposure to
attacks that steal or impersonate other users.
Since HTTP is a stateless protocol, web sites commonly use session
IDs to uniquely identify a user from request to request. Consequently,
each session ID's confidentiality must be maintained in order to
prevent multiple users from accessing the same account. A stolen
session ID can be used to view another user's account or perform a
fraudulent transaction.
The lack of proper session expiration may improve the likely success
of certain attacks. For example, an attacker may intercept a session
ID, possibly via a network sniffer or Cross-site Scripting attack.
Although short session expiration times do not help if a stolen token
is immediately used, they will protect against ongoing replaying of the
session ID. In another scenario, a user might access a web site from
a shared computer (such as at a library, Internet cafe, or open work
environment). Insufficient Session Expiration could allow an attacker
to use the browser's back button to access web pages previously
accessed by the victim.
A long expiration time increases an attacker's chance of successfully
guessing a valid session ID. The long length of time increases the
number of concurrent and open sessions, which enlarges the pool of
numbers an attacker might guess.
Example
In a shared computing environment (more than one person has
unrestricted physical access to a computer), Insufficient Session
Expiration can be exploited to view another user's web activity. If a
web site's logout function merely sends the victim to the site's home
page without ending the session, another user could go through the
browser's page history and view pages accessed by the victim. Since
the victim's session ID has not been expired, the attacker would be
able to see the victim's session without being required to supply
authentication credentials.
References
"Dos and Don'ts of Client Authentication on the Web", Kevin Fu,
Emil Sit, Kendra Smith, Nick Feamster - MIT Laboratory for Computer Science
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Insufficient Session Expiration attack vulnerability test.
|