AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Session Timeout

The attacker can guess the session ids of authentic users and take actions on behalf of them

Severity

Medium

Fix Cost

Medium

Trust Level

High

Nearly every decent web application framework has a configurational capability to declare session timeout values.

Sessions (and cookies at client side) are the most widely methodology to remember application users inter-HTTP requests. If a user stays idle for a long time, this may give an attacker the opportunity to brute-force his/her the session id and login to the application without knowing the credentials of the related user.

Here’s an insecure session timeout value in Web.config which amounts to 2 hours of idle user window;

            
<configuration>
<system.web>
<authentication mode="Forms">
<forms timeout="120" />
</authentication>
</system.web>
                 
            

Other insecure name based checks can also be used;

Nearly every decent web application framework has a configurational capability to declare session timeout values.

Sessions (and cookies at client side) are the most widely methodology to remember application users inter-HTTP requests. If a user stays idle for a long time, this may give an attacker the opportunity to brute-force his/her the session id and login to the application without knowing the credentials of the related user.

Here’s an insecure session timeout value in Web.config which amounts to 2 hours of idle user window;

            
<session-config>
<session-timeout>
150
</session-timeout>
</session-config>
                 
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!