πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Infinite Token

Infinite Token (or Token Cycling) vulnerability occurs when a refresh token is designed in a way that it never expires or can continuously issue new refresh tokens. This allows for indefinite authentication sessions, even in cases where a token is compromised.

Remediation

  • Always enforce a finite lifetime for refresh tokens, ensuring they expire after a reasonable period.
  • Implement a rotation mechanism where each refresh token is single-use and a new one is issued upon successful usage. Revoke the old token upon rotation.
  • Use sliding expiration for refresh tokens, where the lifetime is extended only when valid tokens are used near expiration. Avoid indefinite extensions.
  • * Ensure that logging out invalidates all active tokens, both access and refresh, across devices.
  • Require users to re-authenticate periodically or for high-risk actions, reducing reliance on long-lived tokens.

Metadata

  • Severity: medium
  • Slug: infinite-token

CWEs

  • 613: Insufficient Session Expiration

OWASP

  • A07:2021: Identification and Authentication Failures
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.