Page 1 of 1

Broken authentication and session management.

Posted: Sat Oct 12, 2019 7:48 am
by user84
hi there ... i am a bug hunter 'i wanna report a bug your main domain....

Contact me for POC video. 

When someone forget his/her password, each and every active sessions that belongs to that particular account must be destroyed!
I would recommend you to follow Facebook on this security issue.. They fixed this issue few months back by adding a process that asks users whether user want to close all open sessions or not right after changing password.
So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when users change his/her password!

In this case 4 issue will be happen
Issue 1: Forced Browsing
Issue 2: Parameter Modification
Issue 3: Session Identifier Prediction
Issue 4: SQL Injection within Login Forms

Please think about this. This is very harmful for your site.
I look forward to hearing from you!

Thanks and Best Wishes.

Attacker will be still logged in your account even after changing password, cause his session is still active.. he'll have complete access on your account till that session expires! Also Attacker can do anything on your account.In summary, authentication bypass is an important area to focus on during a penetration test. Bypasses can come in many forms and often arise due to poor implementations such as placing trust in client side data, utilizing weak tokens or being careless with database queries and not using prepared statements.

Please contact me on may personal mail :

Re: Broken authentication and session management.

Posted: Sun Oct 20, 2019 3:46 am
i am a bug hunter 'i wanna report a bug your main domain....
What Main Domain are you talking about ? ???
And why on Earth should someone contact an anonymous GMail Address holder,
to then talk about possible security Issues ? :laugh: :crazy: