Skip to main content

Security controls bypass or absence - Session Invalidation

Description

A function is implemented in the application that returns the users Main from his session code. However, since the source code used in the debugging phase was left in this functionality, if a session code containing the word auto is used, access is allowed.

Impact

  • Exploit the logic introduced by the debugging code to access the application without having credentials.
  • Put in a session code the word auto and manage to access the application with a Main used during the testing phase.

Recommendation

Remove the code used during testing.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 4.8
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All functionalities of the application correctly handle the authorization of users

const logIn = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
redirect('users/main');
}
//Delete all development code
}

Non compliant code

There is a functionality that allows breaching due to a missconfiguration of the source code

const logIn = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
redirect('users/main');
}else if (req.body.session.contains("auto")){
//This clause was used in a development environment to test code and bypass the authentication
redirect('users/main');
}
}

Requirements