Summary

The concurrent sessions of a system must be informed or controlled.

Description

A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated users actions.

Supported In

This requirement is verified in following services

References

• CAPEC™-227. Sustained client engagement
• NIST 800-63B-7_1. Session bindings
• OWASP TOP 10-A7. Identification and authentication failures
• NYDFS-500_10. Cybersecurity personnel and intelligence
• MITRE ATT&CK®-M1018. User account management
• MITRE ATT&CK®-M1026. Privileged account management
• PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
• PDPO-6_31. Matching procedure request
• CMMC-SC_L2-3_13_7. Split tunneling
• FedRAMP-AC-10. Concurrent session control
• FedRAMP-IA-5_8. Authenticator management - Multiple information system accounts
• ISA/IEC 62443-UC-2_7. Concurrent session control
• WASSEC-3_1. Session management capabilities
• WASSEC-4_1_5. Supporting concurrent sessions
• OWASP SCP-3. Authentication and password management
• OWASP SCP-4. Session management
• NIST CSF-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization

Vulnerabilities

• 062.Concurrent sessions
• 301.Concurrent sessions control bypass

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.