Web Security Vulnerabilities On User Session And Username Iteration

This article demonstrates common security concerns and vulnerabilities of an application due to user session-related issues, username iteration through forgot password functionality, etc. This is a continuation of series of discussions on common security concerns and vulnerabilities. You can refer to related articles on this topic.

Related article,

In this article, we will discuss some of the common web security concerns with remediation techniques related to,

  1. Log Out Does Not Invalidate Session
  2. Concurrent User Session
  3. Username Iteration Using Forgot Password Functionality
  4. Test User Accounts

Log Out Does Not Invalidate Session

Sometimes applications were found to reload the existing authenticated user session when the login button is clicked after logging out.

When an authenticated user attempts to log out of a session by clicking the respective button, the application homepage is loaded. From this page, if the ‘login’ button is then clicked, the previous session will reopen without any authentication being required. If the user is working on a shared workstation, this could allow another person to hijack the logged-in user’s session after they have logged out and left the workstation.

Remediation Technique

It is recommended that the underlying source code is amended to ensure that the logout functionality is implemented. This can be achieved by implementing an auto-logout feature after a period of inactivity and clearing browser cookie sessions on the server side.

Concurrent User Session

It was found that concurrent users could access the application with the same account.

Failure to prevent concurrent logins makes it harder for a user to identify whether their account has been compromised as both illegitimate and legitimate use could occur at the same time. In addition, permitting a user to log in multiple times may create concurrency faults. These are errors created when data is updated (almost) simultaneously by separate requests from alternative sessions. This can lead to inconsistencies or exceptions (depending upon the nature of the data being modified) and at the very least could use extra resources, cause user confusion and create inconsistent log entries.

Remediation Technique

User accounts within a web application should only be permitted to use one session at a time. If the user authenticates again then any previously valid sessions should be immediately terminated, with an appropriate message displayed within both sessions.

Username Iteration Using Forgot Password Functionality

Active account usernames can be enumerated through the reset/forgot password functionality.

It was found that valid usernames could be enumerated through password reset (forgot password) functionality, allowing a malicious user to verify active accounts. A validated username could be viewed as a partial victory when attempting to obtain valid credentials for a system and launch further attacks such as brute-forcing the account password. An account lockout is in place after three wrong password attempts in the application.

The following screenshots show the difference between an active and non-existent username:

Remediation Technique

It is recommended that a generic, consistent response is displayed when using the password reset functionality.

Test User Accounts

User accounts were created for testing.

During testing, a number of user accounts were created and could not be removed by the test team.

Remediation Technique

It is recommended that these test user accounts should be removed.

Happy Reading!