Authenticity of the session token is not being checked and validated at the server-side

  1. Home

What is the Vulnerability?

In a secure web application, once a user logs in, the server usually issues a session token. This token is often stored in a cookie, localStorage, or passed as a bearer token. It is used to verify the user’s identity on future requests.

This vulnerability happens when the server fails to check if the session token is legitimate. This means:

  • The token may be accepted even if it has been altered, generated by the user, or expired.
  • The application automatically trusts any token given by the client, without checking where it came from or if it is valid.

Real-world Example: If an attacker creates or changes a session token and the server does not verify it against a trusted session store or signature, the attacker can bypass authentication and gain unauthorized access. This is a typical case of Broken Authentication and is a serious issue according to the OWASP Top 10.

JWT alg=none vulnerability illustration

Impact of this Vulnerability

  • Unauthorized Access: Attackers can forge session tokens and impersonate valid users.

  • Session Hijacking: token validation, tokens leaked via XSS or logs can be reused indefinitely.

  • Escalation: Attackers can generate tokens with elevated roles (e.g., admin) and gain access to restricted resources.

  • Compliance Breach: Violates standard security policies required under GDPR, HIPAA, and PCI-DSS.

Solution to Fix the Vulnerability

To fix this issue effectively, developers need to use strict session token validation methods:

  • Always Validate Tokens Server-Side
    On each request, check the session token against the server-side session store for opaque tokens. For JWTs or signed tokens, verify:
    • Signature
    • Expiry (exp)
    • Issuer (iss)
    • Audience (aud)

  • Use Secure Token Standards
    Use signed JWT tokens with strong algorithms and never accept unsigned tokens. Store sensitive sessions in HTTP-only, Secure cookies with the right flags, such as SameSite=Strict.

  • Token Expiry & Rotation
    Use short-lived tokens and refresh token methods. Invalidate sessions after logout or after a period of inactivity.

  • Avoid Common Pitfalls
    Do not trust tokens from the client without validation. Avoid custom or outdated token methods that do not have cryptographic protection.

  • Vulnerable Libraries or Practices
    Do not use older versions of token libraries like:
    • jsonwebtoken (Node.js) before v8.5.1
    • PyJWT (Python) before v2.0
    • Custom token logic without cryptographic signatures