28 Feb, 2023

Insufficient Session Expiration

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Insufficient Session Expiration refers to a vulnerability in web applications where a user’s session remains active for longer than necessary, even after the user has logged out or the session should have expired due to inactivity. This can allow an attacker to hijack the user’s session and gain unauthorized access to sensitive information or perform actions on the user’s behalf. Insufficient Session Expiration can be abbreviated as ISE.

Example of vulnerable code on different programming languages:


in PHP:

				
					session_start();
// set session variables
$_SESSION['username'] = "John";
$_SESSION['user_id'] = 123;
// set session timeout to 30 minutes
ini_set('session.gc_maxlifetime', 1800);
// check if session has timed out
if (isset($_SESSION['last_activity']) && time() - $_SESSION['last_activity'] > 1800) {
    // session has timed out, destroy session
    session_unset();
    session_destroy();
}
// update last activity time
$_SESSION['last_activity'] = time();

				
			


In this PHP code, a session is started and session variables are set. The session timeout is set to 30 minutes using the ini_set function. However, there is no check to see if the session has timed out, other than checking the last_activity variable. This means that an attacker could hijack the session after 30 minutes of inactivity.

• in Java:

				
					HttpSession session = request.getSession();
// set session attributes
session.setAttribute("username", "John");
session.setAttribute("user_id", 123);
// set session timeout to 30 minutes
session.setMaxInactiveInterval(1800);

				
			


In this Java code, a session is created using the getSession method of the HttpServletRequest object. Session attributes are set using the setAttribute method. The session timeout is set to 30 minutes using the setMaxInactiveInterval method. However, there is no check to see if the session has timed out, which could allow an attacker to hijack the session after 30 minutes of inactivity.

• in Python:

				
					from flask import Flask, session, request
app = Flask(__name__)
# set session secret key
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
# set session variables
session['username'] = "John"
session['user_id'] = 123
# set session timeout to 30 minutes
app.config['PERMANENT_SESSION_LIFETIME'] = 1800

				
			


In this Python code using Flask framework, a session is created using the session object. Session variables are set using dictionary notation. The session timeout is set to 30 minutes using the PERMANENT_SESSION_LIFETIME configuration variable. However, there is no check to see if the session has timed out, which could allow an attacker to hijack the session after 30 minutes of inactivity.

Examples of exploitation Insufficient Session Expiration

Session Hijacking:

An attacker could use a tool like a packet sniffer to intercept the session ID of a user who has not logged out of a web application properly. The attacker could then use this session ID to hijack the user’s session and gain unauthorized access to sensitive information or perform actions on the user’s behalf.

Credential Stuffing:

An attacker could use a list of usernames and passwords obtained from a data breach or other sources to automate login attempts. If the user has not logged out of the web application properly and the session is still active, the attacker could gain unauthorized access to the user’s account.

Cross-Site Request Forgery (CSRF):

An attacker could craft a malicious webpage or email that contains a hidden form or link that performs an action on the vulnerable web application. If the user clicks on the link or submits the form while their session is active, the action will be performed on their behalf without their knowledge or consent.

Session Fixation:

An attacker could use a technique called session fixation to set the session ID of a user who has not logged out of a web application properly. The attacker could then use this session ID to hijack the user’s session and gain unauthorized access to sensitive information or perform actions on the user’s behalf.

Privilege escalation techniques for Insufficient Session Expiration

Session Fixation:

As mentioned earlier, an attacker could use session fixation to set the session ID of a user who has not logged out of a web application properly. By setting the session ID to a known value, the attacker could wait for the user to log in using that session ID and then hijack the session to gain unauthorized access to sensitive information or perform actions on the user’s behalf.

Session Hijacking:

An attacker could use a tool like a packet sniffer to intercept the session ID of a user who has not logged out of a web application properly. The attacker could then use this session ID to hijack the user’s session and gain unauthorized access to sensitive information or perform actions on the user’s behalf. If the hijacked session has elevated privileges, the attacker could escalate their own privileges and perform more advanced attacks.

Session Replay:

An attacker could record a legitimate session and replay it at a later time to gain unauthorized access to the same resources. This could be possible if the session ID is predictable or the session is not properly invalidated after use. The attacker could use this technique to escalate their privileges to access sensitive information or perform actions on the victim’s behalf.

CSRF:

An attacker could use Cross-Site Request Forgery (CSRF) to force a logged-in user to perform actions on the vulnerable web application without their knowledge or consent. This could be used to escalate the attacker’s privileges by modifying the user’s settings or performing actions that the user is not authorized to do.

General methodology and checklist for Insufficient Session Expiration

Methodolohy:

  1. Identify the Application and its Authentication Mechanism: Determine the application that you will be testing and its authentication mechanism. This includes identifying the login page, the session management mechanism, and the session timeout settings.

  2. Observe the Session Management: Once you have identified the session management mechanism, you should start observing the behavior of the application during different states of the session. This includes how the session is created, how the session ID is generated, how the session is invalidated, and what happens when the session times out.

  3. Test for Session Expiration: After observing the session management mechanism, you should begin testing for session expiration. This involves logging in to the application, establishing a session, and then waiting for the session to expire. You should also test what happens when the user logs out of the application, closes the browser, or clears their cookies.

  4. Test for Session Fixation: Next, you should test for session fixation by attempting to set a known session ID and waiting for the user to log in using that session ID. You should also check if the session ID is regenerated after a successful login.

  5. Test for Session Hijacking: You should also test for session hijacking by using a packet sniffer to intercept the session ID of a user who has not logged out of the application properly. You should then attempt to use this session ID to gain unauthorized access to sensitive information or perform actions on the user’s behalf.

  6. Test for Privilege Escalation: Finally, you should test for privilege escalation by attempting to escalate your own privileges using the techniques described earlier. This includes testing for session replay, CSRF attacks, and other methods of privilege escalation.

Checklist:

  1. Determine the session management mechanism used by the application.

  2. Check the session timeout settings and make sure they are appropriate.

  3. Test what happens when the user logs out of the application, closes the browser, or clears their cookies.

  4. Test the session expiration behavior by establishing a session and waiting for it to expire.

  5. Test for session fixation vulnerabilities by attempting to set a known session ID and waiting for the user to log in using that session ID.

  6. Test for session hijacking vulnerabilities by using a packet sniffer to intercept the session ID of a user who has not logged out of the application properly.

  7. Test for privilege escalation vulnerabilities by attempting to escalate your own privileges using the techniques described earlier.

  8. Check that session IDs are regenerated after a successful login and that old session IDs are invalidated.

  9. Test the effectiveness of the session management mechanism by attempting to access resources without a valid session ID or with an expired session ID.

  10. Use automated tools to assist with testing, but always manually verify the results.

  11. Document and report any vulnerabilities found to the appropriate parties.

  12. Ensure that vulnerabilities are fixed before retesting.

  13. Retest to verify that the vulnerabilities have been successfully addressed.

Tools set for exploiting Insufficient Session Expiration

Manual Tools:

  • Burp Suite: A popular web application testing tool that includes a session management tool for testing session expiration and fixation vulnerabilities.

  • Tamper Data: A Firefox add-on that allows you to view and modify HTTP/HTTPS headers and parameters.

  • Wireshark: A network protocol analyzer that can be used to capture and inspect network traffic, including session IDs.

  • Cookie Manager+: A Firefox add-on that allows you to view, edit, create, and delete cookies.

  • Chrome Developer Tools: A built-in tool in the Google Chrome browser that allows you to inspect and modify web page code, including cookies and session IDs.

  • Fiddler: A free web debugging proxy that allows you to capture and inspect HTTP/HTTPS traffic.

  • Zed Attack Proxy (ZAP): A free and open-source web application security testing tool that includes a session management feature for testing session-related vulnerabilities.

  • SQLMap: A popular tool for testing SQL injection vulnerabilities that can also be used to test for session-related vulnerabilities.

  • Netcat: A utility that can be used to send and receive network traffic, including session IDs.

  • Browser Console: A built-in tool in most web browsers that allows you to view and modify web page code, including cookies and session IDs.

Automated Tools:

  • Acunetix: A web application security scanner that can detect and exploit session-related vulnerabilities.

  • OWASP ZAP: An automated web application security testing tool that includes a session management feature for testing session-related vulnerabilities.

  • AppScan: An automated web application security scanner that can detect and exploit session-related vulnerabilities.

  • Netsparker: An automated web application security scanner that can detect and exploit session-related vulnerabilities.

  • Arachni: An open-source web application security scanner that can detect and exploit session-related vulnerabilities.

  • Nessus: A vulnerability scanner that can detect and exploit session-related vulnerabilities.

  • Qualys: A cloud-based vulnerability scanner that can detect and exploit session-related vulnerabilities.

  • Metasploit: A penetration testing framework that includes modules for exploiting session-related vulnerabilities.

  • Core Impact: A penetration testing tool that includes modules for exploiting session-related vulnerabilities.

  • Nikto: A web server scanner that can detect and exploit session-related vulnerabilities.

Average CVSS score of stack Insufficient Session Expiration

The CVSS score of a vulnerability related to Insufficient Session Expiration can vary depending on various factors such as the severity of the vulnerability, the potential impact on the system or application, and the ease of exploitation. However, generally speaking, Insufficient Session Expiration is considered a moderate to high-risk vulnerability, and the CVSS scores for this type of vulnerability can range from 4.0 to 9.0.

In the National Vulnerability Database (NVD), the average CVSS score for vulnerabilities related to Insufficient Session Expiration is 6.6 out of 10.0, which indicates that this is a significant vulnerability that should be addressed promptly. It is important to note that this is only an average score and individual vulnerabilities can have higher or lower scores depending on the specific circumstances.

The Common Weakness Enumeration (CWE)

CWE-613: Insufficient Session Expiration: This CWE describes the vulnerability that arises when a web application fails to properly expire session tokens.

• CWE-614: Sensitive Cookie in HTTPS Session Without Secure Attribute: This CWE occurs when a cookie that contains sensitive data is transmitted over HTTPS but does not have the “secure” attribute set, which could allow an attacker to intercept the cookie and extract sensitive data.

• CWE-319: Cleartext Transmission of Sensitive Information: This CWE occurs when sensitive information is transmitted over an insecure channel, such as an unencrypted HTTP connection.

• CWE-311: Missing Encryption of Sensitive Data: This CWE occurs when sensitive data is stored or transmitted in an unencrypted format.

• CWE-362: Race Condition Within a Thread: This CWE can occur when multiple threads access the same session information simultaneously, which can result in race conditions and session-related vulnerabilities.

• CWE-352: Cross-Site Request Forgery (CSRF): This CWE describes the vulnerability that arises when a web application fails to properly validate user requests, which can allow attackers to perform actions on behalf of the user.

• CWE-614: Sensitive Cookie in HTTPS Session Without Secure Attribute: This CWE occurs when a cookie that contains sensitive data is transmitted over HTTPS but does not have the “secure” attribute set, which could allow an attacker to intercept the cookie and extract sensitive data.

• CWE-525: Use of Webpage with Incorrectly Configured or Missing Authentication: This CWE occurs when a web application fails to properly authenticate users, which can result in unauthorized access to sensitive information.

• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’): This CWE occurs when a web application allows untrusted input to be used in a URL redirection, which can result in users being redirected to malicious sites.

• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’): This CWE occurs when a web application allows untrusted input to be used in a URL redirection, which can result in users being redirected to malicious sites.

Top 10 CVES related to Insufficient Session Expiration

CVE-2023-0227 – Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.

CVE-2022-4070 – Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.

CVE-2022-34392 – SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.

CVE-2022-3362 – Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.

CVE-2022-31677 – An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

CVE-2022-30277 – BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).

CVE-2022-2713 – Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.

CVE-2022-23063 – In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

CVE-2022-22113 – In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

CVE-2022-2064 – Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

Insufficient Session Expiration exploits

  • Session Fixation: This exploit involves an attacker setting the session ID for a target user, forcing them to use a known session ID. The attacker can then use the known session ID to gain access to the user’s account.

  • Session Hijacking: This exploit involves an attacker stealing a valid session ID from a target user, usually through the use of a packet sniffer or other interception methods. The attacker can then use the stolen session ID to gain access to the user’s account.

  • Session Replay: This exploit involves an attacker recording a user’s session and then replaying it later to gain access to the user’s account.

  • Session Timeout Bypass: This exploit involves an attacker bypassing the session timeout mechanism to keep a session active beyond its intended expiration time.

  • CSRF (Cross-Site Request Forgery): This exploit involves an attacker tricking a user into performing an action on a web application without their knowledge or consent, usually by leveraging an existing session.

  • Cookie Theft: This exploit involves an attacker stealing a user’s session cookie, which can be used to gain access to the user’s account.

  • Cookie Replay: This exploit involves an attacker reusing a session cookie that has already been used by the user, effectively bypassing the authentication mechanism.

  • Man-in-the-Middle (MITM) Attack: This exploit involves an attacker intercepting traffic between the user and the web application, allowing them to capture session cookies or other sensitive information.

  • Session Data Tampering: This exploit involves an attacker modifying the data stored in a user’s session, allowing them to gain unauthorized access to resources or perform actions they are not authorized to do.

  • Brute Force Attacks: This exploit involves an attacker attempting to guess valid session IDs or other session-related information through trial and error.

Practicing in test for Insufficient Session Expiration

Set up a test environment: Create a test environment that mimics a real-world web application, and use it to practice testing for Insufficient Session Expiration vulnerabilities.

Use vulnerable applications: There are several vulnerable web applications available online that can be used for practicing testing for Insufficient Session Expiration vulnerabilities. For example, the Damn Vulnerable Web Application (DVWA) is a popular application for practicing web application security testing.

Use automated tools: Use automated tools such as Burp Suite, OWASP ZAP, or Nessus to scan for Insufficient Session Expiration vulnerabilities in a test environment.

Manual testing: Conduct manual testing by attempting to exploit Insufficient Session Expiration vulnerabilities in a test environment, using techniques such as session fixation, session hijacking, and cookie theft.

Participate in CTFs: Participate in Capture the Flag (CTF) events that focus on web application security, which often include challenges related to Insufficient Session Expiration vulnerabilities.

Read and practice examples: Read about Insufficient Session Expiration vulnerabilities and their exploitation techniques, and practice on the examples provided. Websites such as WebGoat and OWASP Juice Shop provide examples and exercises to practice different web application vulnerabilities, including Insufficient Session Expiration.

For study Insufficient Session Expiration

OWASP Top Ten: Insufficient Session Expiration: This page on the OWASP website provides an overview of Insufficient Session Expiration vulnerabilities, including common attack vectors and mitigation techniques.

Web Application Hacker’s Handbook: This book by Dafydd Stuttard and Marcus Pinto provides an in-depth introduction to web application security, including Insufficient Session Expiration vulnerabilities.

Damn Vulnerable Web Application (DVWA): The DVWA is a vulnerable web application that can be used to practice web application security testing, including testing for Insufficient Session Expiration vulnerabilities.

OWASP ZAP: This open-source web application security scanner includes features for testing for Insufficient Session Expiration vulnerabilities.

Burp Suite: This web application security testing tool includes features for testing for Insufficient Session Expiration vulnerabilities.

Hack The Box: This platform provides virtual machines for practicing penetration testing skills, including testing for Insufficient Session Expiration vulnerabilities.

WebGoat: This deliberately insecure web application provides a set of lessons for practicing web application security skills, including testing for Insufficient Session Expiration vulnerabilities.

SecurityTube: This website provides a variety of free and paid courses on web application security, including topics related to Insufficient Session Expiration vulnerabilities.

YouTube: There are many YouTube channels that provide tutorials and walkthroughs on web application security testing, including testing for Insufficient Session Expiration vulnerabilities.

Conferences and Events: Attend web application security conferences and events, such as OWASP conferences, to learn about the latest trends and techniques in web application security, including Insufficient Session Expiration vulnerabilities.

Books with review of Insufficient Session Expiration

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book is a comprehensive guide to web application security testing and includes a section on Insufficient Session Expiration vulnerabilities.

“OWASP Testing Guide v4” by The Open Web Application Security Project (OWASP) – This guide provides a comprehensive approach to web application security testing, including a section on testing for Insufficient Session Expiration vulnerabilities.

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security, including a section on Insufficient Session Expiration vulnerabilities.

“Real-World Bug Hunting: A Field Guide to Web Hacking” by Peter Yaworski – This book is a practical guide to finding and exploiting web application vulnerabilities, including Insufficient Session Expiration.

“Mastering Modern Web Penetration Testing” by Prakhar Prasad – This book covers modern web application security testing techniques, including testing for Insufficient Session Expiration vulnerabilities.

“The Basics of Web Hacking: Tools and Techniques to Attack the Web” by Josh Pauli – This book is an introduction to web application security testing and includes a section on Insufficient Session Expiration vulnerabilities.

“Web Security Testing Cookbook” by Paco Hope and Ben Walther – This book provides a collection of recipes for web application security testing, including a section on testing for Insufficient Session Expiration vulnerabilities.

“Advanced Penetration Testing: Hacking the World’s Most Secure Networks” by Wil Allsopp – This book is a guide to advanced penetration testing techniques, including testing for Insufficient Session Expiration vulnerabilities.

“The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski – This book covers web application security testing techniques, including a section on Insufficient Session Expiration vulnerabilities.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book provides a guide to using Python for hacking and penetration testing, including a section on testing for Insufficient Session Expiration vulnerabilities.

List of payloads Insufficient Session Expiration

  • Session fixation attack: This involves setting the session ID of a user before they authenticate, allowing an attacker to hijack their session.

  • Session ID prediction attack: This involves predicting the session ID of a user by analyzing the session ID generation algorithm or by brute force.

  • Session hijacking attack: This involves stealing the session ID of a user after they have authenticated, allowing an attacker to impersonate the user.

  • Session replay attack: This involves capturing and replaying a valid session to gain access to a web application.

  • Session revocation attack: This involves bypassing the session revocation mechanism by using an old session ID.

  • Session fixation through CSRF attack: This involves exploiting a Cross-Site Request Forgery (CSRF) vulnerability to set the session ID of a victim to a known value.

  • Session injection attack: This involves injecting malicious data into a session variable to execute unauthorized actions.

  • Session timeout bypass attack: This involves bypassing the session timeout mechanism to maintain a session after the user has logged out.

  • Session token brute forcing attack: This involves brute forcing session tokens to gain access to a web application.

  • Man-in-the-middle attack: This involves intercepting the communication between the user and the server to steal the session ID.

How to be protected from Insufficient Session Expiration

  1. Implement session timeout: Set a reasonable session timeout period to automatically log users out after a certain period of inactivity.

  2. Regenerate session IDs: Regenerate session IDs after a user logs in or changes their authentication status to prevent session fixation attacks.

  3. Use secure session management techniques: Use secure session management techniques such as encryption, secure cookies, and HTTPS to prevent session hijacking.

  4. Limit session length: Limit the length of a session to a reasonable time period to reduce the likelihood of successful attacks.

  5. Use unique session IDs: Use unique session IDs to prevent session ID prediction attacks.

  6. Use strong random number generators: Use strong random number generators to generate session IDs to prevent session ID prediction attacks.

  7. Use CSRF protection: Implement Cross-Site Request Forgery (CSRF) protection to prevent session fixation through CSRF attacks.

  8. Test for vulnerabilities: Conduct regular security testing to identify and remediate vulnerabilities, including Insufficient Session Expiration vulnerabilities.

  9. Use security headers: Implement security headers such as the Strict-Transport-Security (HSTS) and X-Content-Type-Options to enhance the security of the web application.

  10. Train employees: Train employees on best practices for secure session management, including not sharing credentials, logging out of the application when finished, and using secure passwords.

Conclusion

Insufficient Session Expiration is a common vulnerability in web applications that can allow an attacker to gain unauthorized access to a user’s account or sensitive data. It occurs when a web application fails to properly manage the lifecycle of a user’s session, either by not setting a session timeout, using weak session IDs, or failing to regenerate session IDs after certain events. This vulnerability can be exploited by attackers to perform session hijacking or session fixation attacks, potentially compromising the security of the web application.

To mitigate Insufficient Session Expiration vulnerabilities, it is important to implement secure session management techniques, such as using encryption, secure cookies, and HTTPS, and setting a reasonable session timeout period. It is also important to regenerate session IDs after certain events, such as login or authentication status changes, and to use unique and strong session IDs. Implementing CSRF protection and two-factor authentication can add an extra layer of security to the login process. Regular security testing and employee training on secure session management best practices can also help to prevent this vulnerability.

Other Services

Ready to secure?

Let's get in touch