Session Management / Insufficient Session Expiration

Description

Insufficient Session Expiration (CWE-613) is a vulnerability in session management, which is commonly found in web applications and APIs. It occurs when a session is not terminated by the server at the expected time, allowing an attacker to reuse a valid session, thereby bypassing the authentication process. This vulnerability is listed on the Common Weakness Enumeration (CWE) directory. Additionally, the OWASP Testing Guide provides a description of the attack and suggests steps for testing for this vulnerability.

Risk

The risk posed by this vulnerability is that an attacker can reuse a valid session and bypass authentication, gaining access to areas of the application that are not authorized. This can result in information disclosure or unauthorized access to sensitive data. It is important to note that this vulnerability can be used in combination with other vulnerabilities, such as cross-site scripting, to gain access to areas of the application.

Solution

The solution to this vulnerability is simple: ensure that sessions are terminated at the expected time. The server should have a timeout value set, and the application should have a logout functionality that terminates the session immediately. Additionally, the server should use secure authentication protocols, such as OAuth2, to ensure that authentication credentials are not stored in the session.