Exposure of Data Element to Wrong Session

Draft Base

Structure: Simple

Description

This vulnerability occurs when an application fails to properly isolate data between different user sessions, allowing information from one user's session to leak into another's.

Extended Description

This flaw typically happens when application components, like singleton objects or pooled resources, are incorrectly used to store user-specific data. For instance, in Java Servlets, a single instance often handles requests for all users simultaneously. If a developer stores user data in the Servlet's member fields instead of the proper request or session scope, one user's data can become visible to another user, creating a race condition. To prevent this, always store user state in the appropriate session context (like `HttpSession`) or within local method variables, never in shared object fields. Ensure your design clearly separates per-request data from shared application data, and understand the threading model of your framework's components.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 3

Phase: Architecture and Design

Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.

Phase: Testing

Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).

Phase: Architecture and Design

In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.

Demonstrative Examples 1

The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream.

Code Example:Bad
Java
java

While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way: Thread 1: assign "Dick" to name Thread 2: assign "Jane" to name Thread 1: print "Jane, thanks for visiting!" Thread 2: print "Jane, thanks for visiting!" Thereby showing the first user the second user's name.

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)

Taxonomy Mapping

7 Pernicious Kingdoms