Fix: Placeholder for session mismanagement vulnerability in profile update endpoint (Issue #197)

[eMKayRa0]

Placeholder PR for Session Mismanagement Vulnerability on app.aixblock.io – Issue #197
This pull request introduces a placeholder file for Issue #197, which reports a critical session mismanagement / broken authentication vulnerability in the PATCH /api/users/{id} endpoint on:

https://app.aixblock.io

---

🔍 Vulnerability Overview

Even after a user logs out of the application, previously captured PATCH requests (used to modify user profile fields) remain valid. This allows replay attacks using tools like Burp Suite to change:

• first_name
• last_name
• username

This occurs without requiring a fresh login, indicating session tokens or cookies (sessionid) are not invalidated server-side upon logout.

---

🚨 Security Implications

Risk	Description
🔁 Replay Attack	Attackers can reuse captured requests to change user data
👤 Impersonation	Changing usernames allows masquerading as other users
🔐 Incomplete Logout Handling	Sessions remain active beyond intended boundaries
🧱 Insecure Design	Indicates lack of server-side authorization on state-changing API

---

🧪 Reproduction Steps

1. Login as a valid user.
2. Change first name via profile settings.
3. Capture the PATCH /api/users/{id} request in Burp Suite.
4. Log out of the app.
5. Replay the request via Repeater.
6. Observe 200 OK with updated profile info.📸 Screenshots & Proof

(Attach images in later security report PR, including Burp Repeater, profile view before/after logout, etc.)
🛡️ Suggested Fixes

    Invalidate all session tokens on logout

    Add strict server-side authentication & ID match for PATCH /api/users/{id}

    Reject requests with expired sessions or missing re-authentication

    Consider re-verification for sensitive profile field updates (e.g., username)

🧩 References

    OWASP A2: Broken Authentication

    OWASP Session Management Cheatsheet