vulnerability

Session Upgrade - Session token not updated after login

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:M/C:P/I:N/A:N)	2016-01-01	2018-06-27	2018-06-27

Severity

CVSS

(AV:N/AC:L/Au:M/C:P/I:N/A:N)

Published

2016-01-01

Added

2018-06-27

Modified

2018-06-27

Description

The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state. Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application.

Solution

sessionupgrade-sessionupgrade-r01

References

CWE-384
OWASP-2010-A3
OWASP-2013-A2

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today