Session Puzzling - Session Variable Overloading
Owasp vuln description: https://owasp.org/www-community/vulnerabilities/Session_Variable_Overloading.
Session Variable Overloading (also known as Session Puzzling, or Temporal Session Race Conditions) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions. This vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one one context and then used in another.
Demo
From 2011!!!!!!
<iframe width="560" height="315" src="https://www.youtube.com/embed/-DackF8HsIE" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Tools and payloads
- See updated chart: Attacks and tools for web pentesting.