The main cause of Insufficient Sessions Expiration vulnerabilities gives the Implications towards lack of understanding of security measures. While building a web application that interacts with the clients, it is vital to ensure that the application is highly secure in all respects. Such flaw can occur in following cases when:
More than one person has physical access to a computer like in Shared environments. Then such vulnerabilities can be easily made use of on a mutual computing environment.
The application either does not employ an inaction timeout or an absolute timeout, or if have given the timeouts, they are too lengthy to give ample risk reduction.
Logout function sends the victim to site's home-page without deleting the session or more likely, that the user just closed the window without logging-out.
New user will going to trace history of previous user and will be able gets all the details of the Pages the Victim user has uses it. Now Since the users session ID has not been remove, The malicious user would be capable to acquire the exclusive right of the victim.
The web application that needs to interact with the Client does not supply a logout feature, or the attribute could not be able to close the Victim’s session.
0 Comment(s)