Broken Authentication or Session Management
Authentication
Logout management
Log out in one tab but you stay logged in in another tab.
Click on log out and then go back in your browser, if you enter in the session again that is a problem.
Session management
Session does not die after password reset
https://hackerone.com/reports/145430
Cookie is usable after session is killed
This might be an issue if you save the cookie, and then log out. And then inject the cookie into your request again. If you can enter the session you have an issue. The issue here might be that the cookie is cleared on the client-side but not on the server-side.
HttpOnly
HttpOnly is a optional flag in the Set-Cookie response header. If the flag is set javascript code is not able to access the cookie. Which might prevent XSS. HttpOnly works if the browser honors that flag of course. But most browsers today do. You can see this behaviour if you open up the devetools in your browser and go to storage and look at the cookies. Then you can do
console.log(document.cookie)
and it will only print out the cookie that has the HttpOnly flag set to false
.
SecureFlag
This is another optional flag for cookies. It is the application server that set it. By setting this flag the browser will not send the cookie unencrypted.
Session-ID in URL
Session ID:s should never be showed in URLs. The risk is that if you pass the session-id in the URL and then share the link with someone that person might inherit the session. But if you put the session-id in the cookie that risk is avoided.
Password reset link does not expire
- You create an account in example.com. You add email [email protected]
- Your email account gets hacked.
- The hacker figures out you have a user on example.com. The hacker clicks the reset-password-link. But does not use it.
- The hacked person figures out that he is hacked and thus goes to example.com to change his password.
- The hacker now clicks on the link and manage to reset the password.
The problem here is that the first reset-link should be blocked once the second is sent.
Relevant bug bounty reports
https://hackerone.com/reports/23579
https://hackerone.com/reports/39203
https://hackerone.com/reports/23921
Cookie does not expire
An easy way to test this is by using burp-suite.
- Open burp-suite
- Login to a website you want to test
- Intercept the request, anyone will do.
- Right click on the request in burp-suite and click on "Send to repeater". Now you have saved that request for later. With the current cookie.
- Log out from the website
- Go to the Repeater-tab in burp and click on "Go".
- Verify that you are redirected to the login.