302 – Insecure functionality - Session management

Description

It is possible to modify the expiration time of an expired session token, making it possible to make the token functional again and continue to query the application.

Impact

Perform queries to the application with an expired Token(JWT).

Recommendation

Once session tokens have expired, they should not be reused in future requests.

Threat

Attacker from the Internet with a session token.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 266 - Disable insecure functionalities

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19