It is an application level vulnerability that the attacker can perform variety of malicious activities.
Mainly this vulnerability happens that the application session variable is using more than one purpose, so this is called session variable overloading or session puzzling.
This attack is to access application entry points. While exploiting session puzzles, the session objects creation can be indirectly initiated, and later exploited, by accessing anentry points such as web services, webpages, remote procedure calls, etc.
Session puzzle enables the attackers to bypass authentication, Impersonate legitimate users, elevate privileges, bypass flow restrictions, and even execute additional attacks.
Session puzzle vulnerability that can enable an attacker to impersonate valid users, by accessing a public entry point that stores input in a temporary session variable named username the password recovery page, and then directly accessing internal application pages that rely on the username session variable for authentication enforcement or privileges validation.

Detecting Session Puzzles:

Session puzzles can be detecting and exploited by using black box methodologies. And even though it’s much easier to detect instances in source code reviews.

Attack Vectors:

The Attacker can perform some application level attacks they are

  • Gather sensitive information (user data, system data)
  • Flood the application with Requests (Dos, DDos)
  • send malicious input to the application (injections, memory attacks, parameter manipulation)
  • Redirect users to entry points (csrf, click jacking, and phishing via redirection)
  • Privilege Escalation (permissions,flags)
  • Authentication Bypass (password recovery modules, registration modules)

In Authentication Bypass the attacker can find the victim information in the password recovery options, and registration modules. The attackers steal the user information and doing some malicious activities.
The attacker can steal the information from the session id like sometimes sensitive information like username such as the attacker steal that and doing the authentication bypass malicious activity.

  • Single consistent purpose only the Session variables shouldbe used.

Example for Authentication bypass:
Puzzle mall is a vulnerable web application designed for training purposes.


1. Open the puzzle mall application it showing the login page.

2. In that login page you have to set URL like this http://localhost:8080/puzzlemall/private/viewprofile.jsp

3. open new page In that page having one option forgot password we have to click that it showing one page there we will give the finding username there.

4.It showing another page there it asks password recovery questions.

5.We didn’t do anything in that page and we going tofirst page now try to refresh in that page we gave /private/ first page url. It is showing the full profile details for that user name.

  • Store objects instead of variables
  • Use different objects for authenticated / unauthenticated zones
  • The login module should populate the identity and privilege values
  • Only populate the session with values after validations
  • Do not store unnecessary values in the session.