The system must force a user to re-authenticate or invalidate their session
if the state of their account changes
(password change/recovery, lockouts, user deletion, etc.).
F076. Insecure session management
CWE-613: Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits
an attacker to reuse old session credentials or session IDs for authorization."
V3.3 Session Logout and Timeout Requirements.(3.3.3)
Verify that the application terminates all other active sessions after a
successful password change,
and that this is effective across the application, federated login
(if present), and any relying parties.
V3.7 Defenses Against Session Management Exploits.(3.7.1)
Verify the application ensures a valid login session or requires
re- authentication or secondary verification before allowing any sensitive
transactions or account modifications.
Ready to start with Fluid Attacks?
Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.