- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Insufficient Session Expiration [CWE-613]
Insufficient Session Expiration weakness describes a case of insufficient session expiration, which allows an attacker to use existing session identifier to log into the application.
Created: May 18, 2014
Latest Update: January 10, 2019
Table of Content
- Potential impact
- Attack patterns
- Affected software
- Severity and CVSS Scoring
Insufficient session expiration weakness is a result of poorly implemented session management. This weakness can arise on design and implementation levels and can be used by attackers to gain unauthorized access to the application.
When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. Unfortunately, coding errors and server misconfigurations may influence session handling process, which can result in unauthorized access.
Example of vulnerable code
Let’s assume we have an application, which is using cookies to authenticate users. The session identifier is transferred within a cookie and is used by software developers to authenticate visitors.
The session identifier is generated in a secure manner using the “GenerateSecureToken()” function. “ValidateSession()” function performs validation of early generated session.
- if (empty($_COOKIE["SESSION_ID"])):
- $SessionID = GenerateSecureToken();
- setcookie("SESSION_ID",$SessionID, time()*3600);
- elseif (ValidateSession($_COOKIE["SESSION_ID"])):
- echo "Hello ".$UserLogin;
- echo "Please, enter your credentials";
The vulnerability is introduced due to incorrect usage of the “setcookie()” PHP function. The developer provided extremely long lifetime for the “SESSION_ID” cookie, which means that this session will not expire soon and the owner of the cookie can automatically authenticate within a long period of time. If this cookie is stolen, an attacker can use the session identifier to authenticate against vulnerable application and gain unauthorized access to it with privileges of the compromised user account.
2. Potential impact
An attacker can bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.
3. Attack patterns
The following CAPEC (Common Attack Pattern Enumeration and Classification) vector is related to this weakness:
- CAPEC-60: Reusing Session IDs (aka Session Replay)
In alternative WASC Threat Classification this vulnerability is described as a weakness under WASC-47 (Insufficient Session Expiration).
4. Affected software
Any multiuser software that uses session-based authentication can be vulnerable to insufficient session expiration weakness.
5. Severity and CVSS Scoring
This weakness should be scored depending on the maximum possible impact and other factors and functionality of the web application. It is usually scored with medium access complexity due to need of victim’s interaction or other actions, which can reveal session identifiers, such as MitM(Man-in-the-Middle) attacks.
If an attacker is able to gain administrative privileges this weakness should be scored as:
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - Medium severity.
In case of information disclosure the score will be:
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Medium severity.
It is very hard to provide general recommendation on insufficient session expiration weakness, since there can be a variety of cases that can lead to this vulnerability. The main general recommendation – always specify session expiration date, make sure it is not to long and that the user can reset the session using the log off functionality of the application.
If your application uses server-based session tokens, provided by the webserver or language interpreter, make sure that session lifetime is set properly.
- CWE-613: Insufficient Session Expiration [cwe.mitre.org]
- Insufficient Session Expiration [www.owasp.org]
- Insufficient Session Expiration [projects.webappsec.org]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.↑ Back to Top