Vulnerability: CONCURRENT USER SESSIONS

Issue observed in: HUB and Decipher

Business Impact: An attacker can connect concurrently with a user without indication that their account has been compromised.

Description 

The application allows multiple connections simultaneously with the same authenticated user account. This is demonstrated by logging in with two separate browsers without restriction.

In this case, the application allowed the admin user to sign into the application using two different browsers at the same time.

Supporting Evidence:  A high privileged user logged into the application from two different browsers at the same time.

Reproduction Steps 

1. In Chrome, log into the application with a high privileged user

2. Perform the same action as step one, but this time using the Edge browser

3. Attempt to navigate to any other page within the application using both browsers.

4. The application does not log the user out of either session

Recommendation 

• The application should restrict connections so that a user account can only create one session at a time to the application. This will create a condition that alerts the user that their account has been compromised.

• If there is a business case for concurrent user sessions, then some form of indication should be given to the user that their account may be compromised. This can be done with a message that occurs alerting that there is another login from another location.

• It can also be strengthened by displaying a message indicating the last time a login occurred.

References 

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

278732:490206