These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application.
The goal of an attack is to take over one or more accounts and for the attacker to get the same privileges as the attacked user.
A travel reservations application supports URL rewriting, putting session IDs in the URL.
http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Risk
The user utilizes a public computer to access a site. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and that browser is still authenticated.
An insider or external attacker gains access to the system’s password database. User passwords are not properly hashed and salted, exposing every user’s password.
Risk
Username and Password values that are easy to guess or that are used frequently can be guessed by attackers to obtain unauthorized access.
Risk
Risk Covered
Hdiv detects the use of hardcoded keys and passwords within the code, too long session timeouts, session and URL rewriting, weak passwords, if HttpOnly flag is being used to session handling header, plus others; and protects applications against brute force login attacks and does not allow access to unauthorized resources thanks to its information flow control.