Express express-session Weak Secret Key Detected

Severity: Medium

Summary#

Invicti detected that a weak secret is used in Express sessions.

The Express web application uses the express-session middleware. The middleware stores a session id in a cookie and uses a secret key to sign it for protection against data tampering. The application is using a weak/known secret key and Invicti managed to guess this key.

Impact#

An attacker can tamper the session id in the cookie.

Actions To Take#

Change the value of the secret key to a long random string.

Classifications#

WASC-14, OWASP 2013-A5, CWE-200, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N, OWASP 2017-A6

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Related Vulnerabilities

Express express-session Weak Secret Key Detected

Related Articles

Build your resistance to threats. And save hundreds of hours each month.