Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.030 Avoid object reutilization

This document contains the details of the security requirements related to the definition and management of sessions and session variables the organization. This requirement establishes the importance of defining controls to manage object sessions securely to avoid common attacks.


System must control that objects (session id, cookies, etc) used in authentication process can’t be reused.


In a system it is necessary to control if the transmitted information is being reused by an attacker to impersonate an authorized user or the server response, so it is essential to verify the communications between the users and the system, avoiding in this way the reinjection of any type of information that affects the confidentiality and/or availability of the same.


In order to prevent this type of impersonation there are several options to considerate depending on the context and implementation method. Some good practices to avoid data reutilization are listed below:

  1. Cryptographic nonce: It consists of numbers that expire after their first use or after a small lapse of time, with which you can verify the authenticity of a message. They are often randomized and used in authentication protocols to ensure that past communications can not be reused.

  2. Timestamping: In order to implement this method there must be a clock synchronization between client and server. Server will only accept messages with date and hour within a tolerance range. Thus, it minimizes the risk of potential attacks by providing a small time windows for exploitation.

  3. Session Token : In this method, the server sends a token code which is used by the client to transform the key (e.g applying hash functions to key and token combination) before sending it again to the server. This value is compared with the client side authentication. Thus, an attacker cannot perform replay attacks because the token sent by the server will be different (token generation must be random).

  4. Session Time-out: Allow users to exit the application and clean session data, say, when an user exits the application his session must be invalidated in client and server side.


  1. Session hijacking

  2. Identity impersonation

  3. Man in the middle (MiM).

  4. Replay attack


  1. Layer: Application Layer

  2. Asset: Session management

  3. Scope: Authenticity

  4. Phase: Construction

  5. Type of Control: Recommendation


  1. CWE-294: Authentication Bypass by Capture-replay.

  2. CAPEC-60: Reusing Session IDs (aka Session Replay).

  3. CWE-287: Improper Authentication.

  4. HTTP Authentication: Basic and Digest Access Authentication.

  5. OWASP-ASVS v3.1-2.12 Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

  6. OWASP-ASVS v3.1-3.7 Verify that all successful authentication and re-authentication generates a new session and session id.

Service status - Terms of Use