How i Made $175 in 10 Minutes Insufficient Session Expiration
Hi folks,
Here I’m going to tell you that how i earned $175 with in 10 min by doing some logical thinking.
Weakness : INSUFFICIENT SESSION EXPIRATION
Severity : LOW - A2: Broken Authentication
Bounty : $175
Hackerone Report: https://hackerone.com/reports/921426
CWE : CWE-613: Insufficient Session Expiration
CVE : CVE-2020–35358
Summary:
Insufficient Session Expiration is a vulnerability that allows an attacker to reuse old session data or session IDs, exposing applications to attacks that steal or reuse a user’s session ID. Session flow may be insufficient in the following situations:
- The timeout is too long, or the session does not end successfully after the user uses the logout / logout feature. The attacker could also use the browser’s back button to allow the victim to access a previously visited website.
- A long expiration date increases the chances that an attacker will be able to successfully guess a valid session ID. The longer the expiration date, the more sessions are always open.
- The larger the pool of sessions, the more likely it is that an attacker will randomly guess the session. If you use the token immediately, shortening the session inactivity timeout has no effect, but shortening the timeout makes it difficult to capture the token while it is still valid.
The web application should disable the session after a predefined idle time (timeout) and allow the user to disable their session (logoff). These simple methods can help you keep your session ID as short as possible. To protect against inadequate session expiration attacks, the logout feature should be well visible to the user, explicitly disabling the user’s session, and prohibiting the reuse of session ID.
HOW I STARTED HUNTING IT :
I got bored and worried because i have too many thinks to learn and explore and get stressed and i plan to start again the bug-hunting so i choose the hacker one platform to find the domain and successfully chosen a domain called *.x.com and visited the page for my understanding purpose. After some time i moved to the login page and i tried to login by creating new account by email id and also tried via google account and here i actually follows my all testing like brute force, rate-limit, Oauth bypass via password reset but nothing works. I wasted 2 hours for this and got too stressed 😔. But after getting refreshed again i started testing it to hunt some XSS, XXE, HTML Injection, etc….. OOPSSSS …….
Again i got stressed more and logout the website and went for coffee. But something is triggering in my mind that today is my day, I went and switch on my Pc and visit that page BOOOMMM. What’s happening here i just logout that website and went for coffee now my session logged in WHAT?.. Something happened again i logged out and visit the page my session still valid and my account not logged out, Then i think lot about it and googled it about the issues and i came to know that its an Insufficient session expiration vulnerability i took it into more critical.
Opened my private tab and visited that *.x.com and logged in via my google account then logged out from the website and logged out my all google account as well. BOOM its not validating the token for a while.
Then i started recording the POC and submitted the report to *.x.com and after few hours hackerone researcher replied me that report was DUPLICATE. I just closed my PC and start overthinking.
Actually i spend more than 6 to 8 hours for finding this vulnerability 😢 by testing all the weakness finally i found this but within a hour hackerone researcher replied the issue was duplicate.
After few hours the lifeomic hacker team replied and appreciated me for finding the issue AWS Cognito session caches the Google IdP response for a limited period of time instead of going back to the IdP.
Finally the team triaged the report and awarded me $175 and i’m disclosing the issue.
