WARNING - SRTICTLY FOR EDUCATIONAL PURPOSE


 The websites usually creates a session cookie and session id for each valid session, and these cookies contain sensitive data like username, password, etc. when the session is ended either by logout or browser closed abruptly, these cookies should be invalidated (For each session there should be a new cookie).

If the cookies are not available, the sensitive data will exit in the system. For example, a user using a public computer, the cookies of the vulnerable site sits on the system and exposed to an attacker. An attacker uses the same public computer after sometime, the sensitive data is compromised.

In the same manner, a user using a public computer, instead of logging off he closes the browser  abruptly. An attacker uses the same system, when browses the same vulnerable site, the previous site session of victim will be opened. The attacker can do whatever he wants to do from stealing profile information, cc details, etc...,. 

Vulnerable objects.

Sessions ID,s exposed on URL can lead to session fixation attacks.

Session ID's same before and after logout and login.

Session timeouts are not implied correctly

Applications is assigning same session ID for each new session.


Show us some love on -----> INSTAGRAM 


Join our TELEGRAM for free courses and other cources