Skip to main content

Concurrent sessions control bypass

Description

It is possible to bypass concurrent session control by going to any valid URL in the application when the error that there is already a session started appears.

Impact

Access concurrently to the application with the same user causing loss of traceability.

Recommendation

Immediately invalidate previous session when logging in from a new location.

Threat

Malicious actor from intranet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.5
    • Temporal: 3.5
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application verifies the user token before accessing sensitive information

const accessProfile = (req, res) => {
const user = req.body.userId;
if user.token === req.body.token {
...code to handle login
res.redirect("/profile")
}else if(isValidCredentials(user, req.body.password)){
//Expire current session if the user is logging from another location
deleteToken(user);
...code to handle login
res.redirect("/profile")
}else{
...code to handle wrong credentials or non existing user
}
}

Non compliant code

The application does not verify if the user already has a session opened before signing in

const accessProfile = (req, res) => {
if(isValidCredentials(req.body.user, req.body.password)){
//Make request without validating if user is logging in from another location
goToProfileInfo(user.username, user.token);
}
}

Requirements