Skip to content

Instantly share code, notes, and snippets.

@virendratiwari03
Created November 4, 2020 06:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save virendratiwari03/bddafb3cd82dde8202bd056d340d3e36 to your computer and use it in GitHub Desktop.
Save virendratiwari03/bddafb3cd82dde8202bd056d340d3e36 to your computer and use it in GitHub Desktop.
Product: Microweber
Product Version: 1.1.18
Vulnerability: Insufficient Session Expiration
Description:
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization
Attack Type: Local
Impact:
The lack of proper session expiration may improve the likely success of certain attacks.
For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack.
Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID.
In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment).
Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.
Reference:
http://projects.webappsec.org/w/page/13246944/Insufficient%20Session%20Expiration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment