Skip to main content

Insecure object reference - Session management

Description

It is possible to close active sessions of other users by knowing their e-mail.

Impact

Close user sessions in the application.

Recommendation

Validate that the users email is not altered or replaced by another users email in the logout process.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: N
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 3.1
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The close session functionality verifies that id, token and email all belong to the same user

const logOut = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
const validateCredentials(req.body.user);
if validateCredentials{
closeSession(req.body.userid, req.body.token, req.body.email);
}
}
}

Non compliant code

Closing a session without validating the email belongs to the same user and token

const logOut = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
closeSession(req.body.email);
}
}

Requirements