This page collects WhisperX intelligence signals tagged #session-hijacking. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical open-redirect vulnerability in the ViUR framework's `get_cookie_for_app` endpoint allowed attackers to steal admin session cookies with a single malicious link. The flaw was in the endpoint's handling of the `redirect_to` parameter, which appended the user's session cookie as a plain query parameter to any s...
A low-severity but critical security vulnerability in the widely-used Rack Ruby web server interface has been patched. The flaw, detailed in a GitHub security advisory, could allow attackers to hijack user sessions through timing attacks. By meticulously measuring the time it takes for a system to look up a session ID,...
A critical security flaw has been identified in a JWT (JSON Web Token) implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an...
A critical security flaw has been identified in a JWT (JSON Web Token) implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an...
A critical security flaw has been identified in a JWT implementation where refresh tokens are never invalidated after use. This creates a token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permanent acce...
A critical security flaw has been identified in a JWT implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permane...
A critical authentication vulnerability has been identified in the refresh token implementation. The system's token rotation mechanism fails to detect when a refresh token has already been reused, creating a window where a stolen token could be weaponized to maintain unauthorized access to a legitimate user's session. ...
A critical security vulnerability in the `POST /auth/refresh` endpoint fails to invalidate refresh tokens after rotation, allowing intercepted tokens to remain functional even after legitimate users have already rotated them. The flaw undermines the fundamental security guarantee of refresh token rotation—a mechanism d...
A critical security vulnerability has been identified in the `calculator` project's Django configuration, with a hardcoded SECRET_KEY directly embedded in the `settings.py` file. The flaw, mapped to CWE-798 (Use of Hard-coded Credentials), undermines cryptographic signing mechanisms protecting session cookies and passw...