CWE-613 Detail

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Piattaforme applicabili

Linguaggio

Class: Not Language-Specific (Undetermined)

Tecnologie

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Conseguenze comuni

Esempi osservati

Potential Mitigations

Phases : Implementation
Set sessions/credentials expiration date.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. However, it can be frequently misused for many different weaknesses related to session expiration. It is being considered for major revisions and/or deprecation.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. See Mintenance Notes.

Note

This CWE entry is being considered for deprecation. For many years (as of CWE 4.20), the intention and usage of this CWE entry has evolved to include many notions of "sessions" that are not specific to the web. The scope of this entry could be expanded accordingly, or it could be split into multiple separate entries. The original WASC-47 entry [REF-1520] includes considerations forcing re-authentication for "inactivity" (expiring sessions after a period of inactivity) versus "absolute" (a fixed expiration time), with a goal to "keep the lifespan of a session ID as short as possible." However, this CWE has also been used for situations in which a session is not fully invalidated or terminated upon logout, which is a different weakness than the original intention for this entry; however, as of CWE 4.19.1, there is no entry that covers this other variation. There is also evidence that this CWE entry is used for session fixation (CWE-384).
The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.

Riferimenti

REF-1520

Insufficient Session Expiration
WASC.
http://projects.webappsec.org/w/page/13246944/Insufficient%20Session%20Expiration

Invio

Modifiche