CVE-2024-25977 in HAWKI
Summary
by MITRE • 05/29/2024
The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/03/2024
This vulnerability represents a critical session management flaw that directly enables unauthorized account takeover through session token manipulation. The core issue occurs when an application fails to properly invalidate or regenerate session tokens during authentication and logout processes, creating a persistent security weakness that can be exploited by malicious actors. The vulnerability stems from improper session lifecycle management where session identifiers remain unchanged even after legitimate authentication events, allowing attackers to maintain access to user accounts through manipulated session tokens.
The technical implementation of this flaw involves the application's failure to enforce proper session token rotation during login operations. When a user authenticates, the system should generate a new session token and invalidate any previous session identifiers associated with that user. However, in vulnerable implementations, existing session tokens remain valid even after successful login attempts, creating a window of opportunity for attackers who have already established malicious session tokens in a victim's browser. This behavior violates fundamental security principles outlined in the OWASP Top Ten 2021 and aligns with CWE-613, which addresses insufficient session expiration and inadequate session management practices.
The operational impact of this vulnerability extends beyond simple session hijacking to encompass full account compromise and potential data breaches. Attackers can leverage cross-site scripting vulnerabilities to inject malicious session tokens into victim browsers, then redirect users to login pages where the existing session token is accepted, effectively transferring the authenticated session from the attacker to the victim. This attack vector directly maps to the ATT&CK technique T1531 for Account Access Removal and T1566 for Phishing, as it combines session manipulation with social engineering to achieve unauthorized access. The vulnerability creates a persistent threat where attackers can maintain access to compromised accounts indefinitely until manual session invalidation occurs.
Mitigation strategies must focus on implementing robust session management protocols that enforce token regeneration during authentication events and proper session invalidation upon logout. Organizations should implement session token rotation mechanisms that generate new identifiers for each authentication attempt, utilize secure session handling libraries, and establish proper session timeout mechanisms. The solution involves configuring applications to destroy old session identifiers and create fresh ones during login processes, while also implementing additional security measures such as secure cookie attributes, HTTP-only flags, and SameSite protections. Regular security testing including session management audits and penetration testing should be conducted to ensure proper implementation and prevent exploitation of this vulnerability across all application components and user authentication flows.