Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session Management
Insecure Storage of JWT Token JWT token over URL (GET method) Old Session do not invalidate after logout Old Session do not invalidate after password changePassword Link Expiration Errors Password Reset Token Sent Over HTTPSession Fixation for Concurrent SessionsSession Fixation for the Same AccountSession Timeout is Too Long Session token predictable / low entropy
Toggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V3 - Session Management

Old Session do not invalidate after logout

POC

1. Login as UserA


2. Intercept one of the authenticated requests and send to Burp repeater


3. Logout


4. Send the intercepted request in Burp Repeater again and observe the session is not validated




Impact

Low



Likelihood

Low


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped