CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Insufficient Session Expiration [CWE-613]

This weakness describes a case of insufficient session expiration, which allows an attacker to use existing session identifier to log into the application.

Created: May 18, 2014
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References

1. Description

Insufficient session expiration weakness is a result of poorly implemented session management. This weakness can arise on design and implementation levels and can be used by attackers to gain unauthorized access to the application.

When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. Unfortunately, coding errors and server misconfigurations may influence session handling process, which can result in unauthorized access.

Example of vulnerable code
Let’s assume we have an application, which is using cookies to authenticate users. The session identifier is transferred within a cookie and is used by software developers to authenticate visitors.

The session identifier is generated in a secure manner using the “GenerateSecureToken()” function. “ValidateSession()” function performs validation of early generated session.

  1. <?php
  2. if (empty($_COOKIE["SESSION_ID"])):
  3.         $SessionID = GenerateSecureToken();
  4.         setcookie("SESSION_ID",$SessionID, time()*3600);
  5. elseif (ValidateSession($_COOKIE["SESSION_ID"])):
  6.         echo "Hello ".$UserLogin;
  7. else:
  8.         echo "Please, enter your credentials";
  9. endif;
  10. ?>

The vulnerability is introduced due to incorrect usage of the “setcookie()” PHP function. The developer provided extremely long lifetime for the “SESSION_ID” cookie, which means that this session will not expire soon and the owner of the cookie can automatically authenticate within a long period of time. If this cookie is stolen, an attacker can use the session identifier to authenticate against vulnerable application and gain unauthorized access to it with privileges of the compromised user account.

2. Potential impact

An attacker can bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.

3. Attack patterns

The following CAPEC (Common Attack Pattern Enumeration and Classification) vector is related to this weakness:


In alternative WASC Threat Classification this vulnerability is described as a weakness under WASC-47 (Insufficient Session Expiration).

4. Affected software

Any multiuser software that uses session-based authentication can be vulnerable to insufficient session expiration weakness.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact and other factors and functionality of the web application. It is usually scored with medium access complexity due to need of victim’s interaction or other actions, which can reveal session identifiers, such as MitM(Man-in-the-Middle) attacks.

If an attacker is able to gain administrative privileges this weakness should be scored as:
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - Medium severity.

In case of information disclosure the score will be:
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Medium severity.

6. Mitigations

It is very hard to provide general recommendation on insufficient session expiration weakness, since there can be a variety of cases that can lead to this vulnerability. The main general recommendation – always specify session expiration date, make sure it is not to long and that the user can reset the session using the log off functionality of the application.

If your application uses server-based session tokens, provided by the webserver or language interpreter, make sure that session lifetime is set properly.

7. References

  1. CWE-613: Insufficient Session Expiration [cwe.mitre.org]
  2. Insufficient Session Expiration [www.owasp.org]
  3. Insufficient Session Expiration [projects.webappsec.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk