Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Product: Microweber
Product Version: 1.1.18
Vulnerability: Insufficient Session Expiration
Description:
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization
Attack Type: Local
Impact:
The lack of proper session expiration may improve the likely success of certain attacks.
For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack.
Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID.
In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment).
Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.
Reference:
http://projects.webappsec.org/w/page/13246944/Insufficient%20Session%20Expiration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.