Session Management Flaws


CWE	CWE-384, CWE-613
Tools	burp, jwt_tool
Difficulty	🟡 intermediate

Attack Session Management

# Inspect Set-Cookie headers
curl -I -c - "https://TARGET/login" 2>/dev/null | grep -i "set-cookie"

Check for:

HttpOnly -- If missing, session cookie is accessible to JavaScript (XSS -> session theft).
Secure -- If missing, cookie is sent over plain HTTP (MITM -> session theft).
SameSite -- If missing or None, cross-site requests carry the cookie (CSRF risk).

Test Session Fixation

Test whether the application issues a new session identifier after successful authentication.

# Step 1: Get a session token before authentication
session_id=$(curl -c - -s "https://TARGET/login" | grep session | awk '{print $7}')
echo "Pre-auth session: $session_id"

# Step 2: Authenticate with this session
curl -b "session=$session_id" -X POST "https://TARGET/login" \
    -d "username=testuser&password=testpass"

# Step 3: Check if same session ID is now authenticated
# If yes = Session Fixation vulnerability (CWE-384)

Exploitation paths for fixation: force victim to use your session via URL parameter (?session=attacker_session), JavaScript injection to set cookie, or meta refresh.

Test Session Timeout

Test both idle timeout and absolute timeout:

# Login and get session
session=$(curl -X POST "https://TARGET/login" \
    -d "username=test&password=test" -c - -s | grep session | awk '{print $7}')

# Test after idle period (e.g., 30+ minutes of inactivity)
sleep 1800
curl -b "session=$session" "https://TARGET/api/me"

# Test absolute timeout (e.g., session created hours ago, still in continuous use)

Sessions that never expire or have excessively long timeouts increase the window for session theft.

Test Session Persistence After Logout

session=$(curl -X POST "https://TARGET/login" \
    -d "username=test&password=test" -c - -s | grep session | awk '{print $7}')

# Verify session works
curl -b "session=$session" "https://TARGET/api/me"

# Logout
curl -b "session=$session" "https://TARGET/logout"

# Test if session still works -- should fail but often does not
curl -b "session=$session" "https://TARGET/api/me"

Predict Session Tokens

Collect multiple session tokens and analyze for predictability.

import time
import requests

sessions = []
for i in range(10):
    response = requests.post("https://TARGET/login",
        data={"username": "test", "password": "test"})
    sessions.append({
        "token": response.cookies.get("session"),
        "time": time.time()
    })
    time.sleep(0.5)

for i, s in enumerate(sessions):
    print(f"Token {i}: {s['token']} at {s['time']}")

# Analyze for: sequential portions, timestamp encoding,
# low entropy sections, predictable deltas between tokens

Test Concurrent Session Handling

# Login from first "device"
session1=$(curl -X POST "https://TARGET/login" \
    -d "username=test&password=test" -c - -s | grep session | awk '{print $7}')

# Login again from second "device"
session2=$(curl -X POST "https://TARGET/login" \
    -d "username=test&password=test" -c - -s | grep session | awk '{print $7}')

# Check if session1 is still valid
curl -b "session=$session1" "https://TARGET/api/me"

# If old sessions persist indefinitely with no limit on concurrent sessions,
# document this -- it increases the window for session theft

Attack Session Management​

Analyze Cookie Attributes​

Test Session Fixation​

Test Session Timeout​

Test Session Persistence After Logout​

Predict Session Tokens​

Test Concurrent Session Handling​