Inspect Session Handling Goal Determine whether session identifiers, lifecycle, and cookie behavior are handled safely across login, logout, and privilege transitions. Assumptions the app uses cookies or token-backed session state browser behavior influences risk session rotation and invalidation may be incomplete Prerequisites one or more test accounts browser devtools or proxy tooling ability to observe cookies and replay requests Recon steps Record session state before login. Capture Set-Cookie headers on login and logout. Observe session behavior across password changes, role changes, and inactivity. Exploit / test steps Check whether the session identifier changes after login. Check whether logout invalidates server-side state. Replay requests with old cookies after logout. Test whether cookies use HttpOnly, Secure, and appropriate SameSite. Observe whether privileged transitions reuse old session state. Validation clues same session ID before and after login old cookies still work after logout cookies lack safe attributes session persists unexpectedly across trust transitions Mitigation rotate sessions after authentication and privilege change invalidate server-side sessions properly set safe cookie attributes keep session IDs out of URLs and logs align timeout policy with risk Logging / detection reused session IDs across multiple auth states post-logout reuse of supposedly dead sessions suspicious session reuse across IP/device shifts where appropriate Related notes session-management cookies-and-sessions auth-flaws csrf References Foundational: OWASP WSTG session management testing — https://owasp.org/www-project-web-security-testing-guide/latest/ Foundational: OWASP Cheat Sheet Series — https://cheatsheetseries.owasp.org/ Foundational: MDN Set-Cookie header — https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie ← PreviousInspect File Upload SurfaceNext →Investigate SSRF Explore nearby notes Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.