Merge pull request #421 from bugcrowd/Ryan-update-1

Updated Steps to Reproduce
bugcrowd · Mar 27, 2023 · e6286ff · e6286ff
2 parents a2ceacc + 93783a5
commit e6286ff
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/...tion_and_session_management/failure_to_invalidate_session/on_logout/template.md b/...tion_and_session_management/failure_to_invalidate_session/on_logout/template.md
@@ -14,10 +14,18 @@ Failure to invalidate a session on logout may also lead to data theft through th
 
 ## Steps to Reproduce
 
-1. Sign into a user’s account (Browser A)
-1. Sign into the same user’s account, using a different browser (Browser B)
-1. Using Browser A, logout of the account
-1. Using Browser B, observe that the user session is still valid
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Use a browser to navigate to: {{URL}}
+1. Sign into a user account
+1. In the HTTP interception proxy, capture any authenticated GET or POST request
+1. Log out of the user account in the browser
+1. In the HTTP interception proxy, resend the following request to the endpoint {{URL}}:
+
+```HTTP
+{{request}}
+```
+
+1. Observe that the session token was not invalidated on logout
 
 ## Proof of Concept (PoC)