Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-613:Insufficient Session Expiration
Weakness ID:613
Version:v4.17
Weakness Name:Insufficient Session Expiration
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
CanPrecedeDiscouragedC287Improper Authentication
ChildOfAllowed-with-ReviewC672Operation on a Resource after Expiration or Release
ParentOfAllowedC352Cross-Site Request Forgery (CSRF)
Nature: CanPrecede
Mapping: Discouraged
Type: Class
ID: 287
Name: Improper Authentication
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 672
Name: Operation on a Resource after Expiration or Release
Nature: ParentOf
Mapping: Allowed
Type: Compound
ID: 352
Name: Cross-Site Request Forgery (CSRF)
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
MemberOfProhibitedC930OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
MemberOfProhibitedC951SFP Secondary Cluster: Insecure Authentication Policy
MemberOfProhibitedC1018Manage User Sessions
MemberOfProhibitedC1028OWASP Top Ten 2017 Category A2 - Broken Authentication
MemberOfProhibitedC1217User Session Errors
MemberOfProhibitedC1353OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 724
Name: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 930
Name: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 951
Name: SFP Secondary Cluster: Insecure Authentication Policy
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1018
Name: Manage User Sessions
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1028
Name: OWASP Top Ten 2017 Category A2 - Broken Authentication
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1217
Name: User Session Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1353
Name: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1018Manage User Sessions
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1018
Name: Manage User Sessions
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1217User Session Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1217
Name: User Session Errors
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1353OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1353
Name: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC951SFP Secondary Cluster: Insecure Authentication Policy
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 951
Name: SFP Secondary Cluster: Insecure Authentication Policy
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism
N/A
Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Set sessions/credentials expiration date.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

▼Applicable Platforms
▼Demonstrative Examples
Example 1

The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.

Language: ( code)
N/A

Language: Java(Bad code)
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Other

      The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      WASC47N/AInsufficient Session Expiration
      Taxonomy Name: WASC
      Entry ID: 47
      Fit: N/A
      Entry Name: Insufficient Session Expiration
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found