Session Management / Exposure of Data Element to Wrong Session

Description

Exposure of Data Element to Wrong Session (CWE-384) is a type of vulnerability found in Web and API applications that occurs when the application discloses data elements associated with a particular user session to a different user session. This can occur when the application fails to properly separate user sessions or when the application fails to properly authenticate users. This type of vulnerability can be used to gain unauthorized access to sensitive data elements and can lead to serious security issues. (Reference: https://cwe.mitre.org/data/definitions/384.html)

Risk

This vulnerability can give attackers the ability to gain access to sensitive data elements such as user credentials, personal information, or confidential business information. Additionally, attackers can exploit this vulnerability to bypass authentication protocols and gain access to the application’s backend. This can lead to serious security issues such as data breaches, identity theft, and malicious activity.

Solution

The best way to prevent this type of vulnerability is to make sure that user sessions are properly separated and authenticated. Developers should ensure that the application is using an authentication protocol that is secure and cannot be easily bypassed. Additionally, developers should use secure coding practices to ensure that user sessions are properly separated and authenticated. (Reference: https://owasp.org/www-project-testing-guide/v5/4-Session_Management_Testing/)

Example

The following code example from the CVE directory (CVE-2018-11268) demonstrates an example of data element exposure to the wrong session:

String userId = request.getParameter("userId");
String sessionId = request.getParameter("sessionId");

if (sessionId.equals(userId)) {
	// handle request
}

In this code example, the application is vulnerable to data element exposure to the wrong session because it is not properly authenticating the user session. An attacker can exploit this vulnerability to gain access to sensitive data elements.