Vulnerability: CONCURRENT USER SESSIONS
Issue observed in: HUB and Decipher
Business Impact: An attacker can connect concurrently with a user without indication that their account has been compromised.
Description
The application allows multiple connections simultaneously with the same authenticated user account. This is demonstrated by logging in with two separate browsers without restriction.
In this case, the application allowed the admin user to sign into the application using two different browsers at the same time.
Supporting Evidence: A high privileged user logged into the application from two different browsers at the same time.
Reproduction Steps
1. In Chrome, log into the application with a high privileged user
2. Perform the same action as step one, but this time using the Edge browser
3. Attempt to navigate to any other page within the application using both browsers.
4. The application does not log the user out of either session
Recommendation
• The application should restrict connections so that a user account can only create one session at a time to the application. This will create a condition that alerts the user that their account has been compromised.
• If there is a business case for concurrent user sessions, then some form of indication should be given to the user that their account may be compromised. This can be done with a message that occurs alerting that there is another login from another location.
• It can also be strengthened by displaying a message indicating the last time a login occurred.
References
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
278732:490206
... View more