Skip to main content

Insecurely generated token - Lifespan

Description

Session tokens are generated with an expiration time of approximately 5 days.

Impact

Leverage a session token to modify user information.

Recommendation

Decrease the life time of the tokens.

Threat

Anonymous attacker from the Internet with a session token.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 4.8
    • Temporal: 4.6
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application sets a secure expiration time for session tokens

app.use(
sessionToken({
secret: "secretkey",
token: {
expires: 360000
}
})
);

Non compliant code

The application does not define a secure limit for expiration of tokens

app.use(
sessionToken({
secret: "secretkey",
token: {
//Insecure expiration time limit
expires: 5*24*60*60*1000
}
})
);

Requirements