Failure to Invalidate Session on Logout
Vulnerability Category: A5-Broken Access Control
Vulnerability Description: The application does not properly invalidate a user’s session on the server after the user initiates logout. User sessions remain active on the server, and any requests submitted including the user’s session identifier will execute successfully, as though the user had made those requests.
Impact: An attacker can use previous used or available session token to login into application.
Recommendation: The user’s HTTP session should be terminated on the server immediately after a logout action is performed. It is important to note that simply deleting the cookie from the browser will not terminate the server session. The session must be invalidated at the server, using the HTTP container’s intrinsic session abandonment mechanism.
Severity : Low
CVSS v3.0 Score: 3.8
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
How to Test:
1) Login to the application using Chrome Browser and browse the application
2) Use “Edit this Cookie” plugin in Chrome and copy all the cookies present
3) Now Logout from the application and Clear the cookies from browser
4) Use “Edit this Cookie” plugin and paste all the cookies that copied earlier
5) Click on Okay and refresh the page , can see the application is getting logged in
Tools to Use:
1) Chrome Browser
2) Edit this Cookie Addon on Chrome Browser
Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it