Web application security - the fast guide Chapter 5: Attack Execution - the client | Page 14

Time To Create to Time to Use
Attack requirement:
1. The application gives the ability
for user to extend or preserve
session for long in a high changing
environment.
Attack process:
1. Normally login before the denial
period and extends the session
time out using the given option.
2. After the denial period the user is
still able to execute most of the
denied activities.
Create legitimate
session
Invalidate
credentials
without
invalidating the
session
Use the
application with
privileged role
Session Validity
Time
2017-05-10
Web Application Security Fast Guide (book slides)
By Dr.Sami Khiami
Slide 14