Misconfigured security features or Incorrect use of security

Home / Hacking, News, Security / Misconfigured security features or Incorrect use of security

August 11, 2008 PlanetCreator 0 Comments 0 tags

Session cookie is not randomized enough
Numerous applications use a session cookie to maintain the state of a logged in user. The use of authentication to validate the user that has logged in is very common and most testers would focus on that aspect of the security. But a malicious user will look towards the session cookie itself to see how he/she could gain authorized access to the application. The session cookie must have very good algorithm to generate the randomness of the session cookie.

Malicious black hat hackers will use tools to determine what the randomness of the session cookie is. This is very easy to do and see if there is a logical pattern to assigning session cookies. If the developer of the application does not use enough randomness to generate the session cookie, there is no need to even have authentication. A random session cookie is vital to the application, without a properly randomized session cookie, a malicious user can and will walk all over the application.

Session cookie does not expire
If a session cookie does not expire then technically it could last…. forever. This means that a malicious black hat could steal a cookie via a XSS vulnerability or another type of man in the middle attack and use that session cookie to hijack your account. Additionally if there is not enough randomness and you can predict a session cookie that does not expire, well you can imagine the problems there.

Any session cookie that is used, must have an expiration time. Typically the expiration time starts counting down as soon as the web browser has been idle. And will expire if the web browser session has been idle for too long. Additionally the session cookie should also expire after a pre-determined time. No one wants a session cookie maintained forever just because a browser session is active.

Explore More

Hackers return fire at security patches

Hackers have hit back against major security patches issued by the likes of Microsoft, with a marked rise in self-installing robot programs that allow an unauthorised user to control a

Critical XSS Vulnerability in Ministry of Information & Broadcasting http://www.ddindia.gov.in

PlanetCreator.Net’s Security Team Member has reported another critical XSS vulnerability on Ministry of Information & Broadcasting http://www.ddindia.gov.in These are some information from Vulnerability Site http://www.ddindia.gov.in: This vulnerability has been alerted

WikiLeaks supporters step up cyber war

LONDON (AFP)â€” A group of hackers vowed on Thursday to intensify a “war of data” against Mastercard, Visa and other groups which have cut funding to the WikiLeaks website over

[webapps] WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
on June 5, 2026 at 12:00 am
WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
[webapps] Drupal Core 10.5.5 - Error-Based SQL Injection
on June 1, 2026 at 12:00 am
Drupal Core 10.5.5 - Error-Based SQL Injection
[webapps] WordPress OrderConvo 14 - Path Traversal
on June 1, 2026 at 12:00 am
WordPress OrderConvo 14 - Path Traversal
[webapps] YAMCS yamcs-core 5.12.7 - LDAP Injection
on May 30, 2026 at 12:00 am
YAMCS yamcs-core 5.12.7 - LDAP Injection
[webapps] YAMCS yamcs-core 5.12.7 - User Enumeration
on May 30, 2026 at 12:00 am
YAMCS yamcs-core 5.12.7 - User Enumeration