wisemonkeys logo
FeedNotificationProfileManage Forms
FeedNotificationSearchSign in
wisemonkeys logo

Blogs

Session Vulnerabilities

profile
Akanksha Rathod
Aug 17, 2022
1 Like
0 Discussions
104 Reads

Before we learn about the vulnerabilities we should know what is a session.

You might have observed being logged out from a website after you keep it idle for a long time, you also get a message stating that "Session has expired".

Session simply means a group of interactions that a user has on a website within a given time frame. Visiting a website can also be considered as a session, however, in technical words, session can be captured by existing the website or by a period of user inactivity.

How can a session be vulnerable?


1) Generating weak session management:

The logic of creating a session token is pretty simple. The attacker is able to learn the pattern and is able to create a valid fake token using the exposed logic behind the session token creation.

2) Poor handling of sessions:
If the session is not terminated properly, or the token is leaked within the network, token hijacking can take place, where the attacker can easily invade.

3) Using meaningful token as a session ID:
Some developers tries to put a lot of information in the session ID, these information may include username, user id, email address, etc. The value may be encrypted and look long however, if it is decoded, it will give out all the useful information of the user.

4) Using predictable tokens:
The session ID tokens are in encrypted format and hence, we feel that they are safe. However, we do not know if they consist of some pattern or a sequence that is commonly used, if so, attackers can easily guess the token.

Session cookies puts the data into temporary memory and deletes it once the session is finished. This data is then used to track the user's development throughout the website. If these sessions are not managed properly, user's information can be stolen like passwords or confidential data. This attack is called as session hijacking. Attacker can use brute force, can guess or predict the exposed session tokens and impersonates and hijacks a genuine user. 


Comments ()


Sign in

Read Next

Windows Operating System

Blog banner

Hey Aryan here

Blog banner

Love is in air.....

Blog banner

What is 'Multi-core and Multi-threading' ?

Blog banner

Service Strategy principles

Blog banner

Operating Systems Overview

Blog banner

How Cyber Forensics help prevent Crimes

Blog banner

Modern operating system

Blog banner

Threat management

Blog banner

Deadlock in Operating systems

Blog banner

Data Security and Data Privacy in Data Science

Blog banner

From Canoeing to Camping: The Perfect Nature Escape Near Arcadia

Blog banner

Rock, Paper, Scissors Game in Common Lisp

Blog banner

Blog name

Blog banner

Dekkers Algorithm

Blog banner

Electronic Funds Transfer

Blog banner

How to kiss

Blog banner

MAHAKAL LOK UJJAIN

Blog banner

Logical and physical address

Blog banner

What Your Child Learns During Free Play (That You Might Not Notice)

Blog banner

Exploring Arcadia’s Cowboy Culture, Peace River & Hidden Attractions

Blog banner

How User Data Shapes Personalised Campaigns

Blog banner

Memory management

Blog banner

DISK SCHEDULING

Blog banner

From Procrastinator to Performer: How to Beat the Last-Minute Rush

Blog banner

operating system

Blog banner

Craziness of dream 11 and how it impacts on our life

Blog banner

Direct Memory Access

Blog banner

Electronic data interchange

Blog banner

OPERATING SYSTEM

Blog banner

Memory Management

Blog banner

How Unstructured Play Helps Children Become Creative Thinkers

Blog banner

Career v/s Job : Choose your passion

Blog banner

Europe Through My Lens

Blog banner

ahh wait a min

Blog banner

LIMITED EDITION

Blog banner

Mumbai famous street food

Blog banner

Digital Life And Mental Health: A Psychological Perspective in the Modern World

Blog banner

A book review

Blog banner

Kernel Memory Allocation In Linux.

Blog banner

Theads

Blog banner

Visualization in Data Science

Blog banner