Logout Functionality

Check List

Methodology

Black Box

Logout Bypass

1

Open the browser and go to the login page of the target

2

Enter a valid username/email and password

3

Submit the login form, Successfully access the authenticated dashboard

4

Click the Logout button

5

Confirm you are redirected to the login page or a "Logged out" message appears

6

Immediately after logout, press the Back button (or use keyboard shortcut Alt + ←)

7

Observe if the previous authenticated page reloads and you still have full access

8

Navigate freely inside the dashboard

9

Perform a privileged action (change settings, view private data) → If successful → Logout bypass confirmed

Failure to Invalidate Session on Logout

1

Login to the application using Chrome Browser and browse the application

2

Use “Edit this Cookie” plugin in Chrome and copy all the cookies present

3

Now Logout from the application and Clear the cookies from browser

4

Use “Edit this Cookie” plugin and paste all the cookies that copied earlier

5

Click on Okay and refresh the page , can see the application is getting logged in

White Box

Cheat Sheet

PreviousCross Site Request ForgeryNextSession Timeout

Last updated