CWE-16
OWASP 2013-A5
OWASP 2017-A6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Overly Long Session Timeout

Severity:
Medium
Summary

Invicti detected that the web application is using a overly long session timeout.

The session-timeout configuration element from WEB-INF/web.xml defines the default session timeout interval for all sessions created in this web application.

The current configuration specified a session timeout value greater than 30 minutes.

Impact

Session timeouts greater than 30 minutes are not recommended as they provide attackers more time to complete attacks and exploits. Specifically, overly long sessions make applications more susceptible to session hijacking and cross-user web attacks, such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).

Remediation
Required Skills for Successful Exploitation
Actions To Take

Decrease the value for session-timeout in the WEB-INF/web.xml like in this example:

<session-config>
<session-timeout>30</session-timeout>
</session-config>

Classifications
CWE-16
OWASP 2013-A5
OWASP 2017-A6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vulnerability Index

You can search and find all vulnerabilities

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Related Vulnerabilities

Featured resources

No items found.
No items found.
View all resources

Build your resistance to threats. And save hundreds of hours each month.

Get a Demo