Added Session Management Vulnerability

[CHI7440]

Resolves #647

This introduces a new Session Management Vulnerability module to VulnerableApp. The goal is to add session-related security scenarios that were previously missing, while keeping the implementation aligned with the existing VulnerableApp pattern of vulnerable earlier levels and a secure later level.

The new module is exposed as:

/VulnerableApp/SessionManagementVulnerability

It uses annotation-driven discovery through @VulnerableAppRestController, @VulnerableAppRequestMapping, and @AttackVector, so the new levels appear in the legacy UI, scanner metadata, sitemap, and facade definitions.

Implemented Levels

LEVEL_1 - Session Fixation

Demonstrates CWE-384. The application accepts a client-supplied VAPP_SESSION_ID before login and keeps the same session token after authentication. The response shows the pre-login token, post-login token, and whether session fixation was confirmed.

LEVEL_2 - Predictable Session IDs

Demonstrates CWE-330. The application generates session IDs using a predictable counter such as SESSION-1001, SESSION-1002, etc. Users can log in multiple times and check profiles by manually supplied session tokens to demonstrate guessable session IDs.

LEVEL_3 - Missing Logout Invalidation

Demonstrates CWE-613. Logout clears the client-side cookie but intentionally does not destroy the server-side session. Reusing the old session token after logout still allows profile access.

LEVEL_4 - No Login Rate Limiting

Demonstrates CWE-307. The application allows repeated failed login attempts without throttling, lockout, delay, or CAPTCHA. Responses explicitly show that attempts remain allowed and rate limiting is not applied.

LEVEL_5 - Secure Session Management

Adds a secure comparison level marked with Variant.SECURE. This level regenerates the session token after login, uses random UUID session IDs, invalidates server-side sessions on logout, and applies a simple username-based failed-login limit.

Database Support

Added a new session_users table for this module instead of reusing auth_users, keeping session-management scenarios independent from authentication vulnerabilities.

Seeded users:

session_admin / password123 / ADMIN
session_user / password123 / USER

Frontend Templates

Added separate legacy UI templates for each level under:

src/main/resources/static/templates/SessionManagementVulnerability/

Each level has focused HTML/CSS/JS to keep the UI simple and avoid level-specific conditionals.

Scanner Metadata

Added new vulnerability types:

SESSION_FIXATION
PREDICTABLE_SESSION_ID
MISSING_LOGOUT_INVALIDATION
NO_LOGIN_RATE_LIMITING

Added corresponding attack-vector payloads and i18n descriptions.

Tests

Added focused service tests covering all implemented levels:

SessionManagementServiceTest

The tests verify vulnerable and secure behavior for session fixation, predictable IDs, logout invalidation, missing rate limiting, secure token regeneration, secure logout invalidation, and failed-login blocking.

Password Reset And SMTP Scope

This PR focuses only on session-management vulnerabilities. Password reset vulnerabilities and SMTP-based reset flows are intentionally left out of scope because they represent a separate vulnerability area and require different user flows, backend logic, and possibly SMTP infrastructure.

Those scenarios should be handled in a follow-up issue/PR.

Summary by CodeRabbit

• New Features
  • Added a Session Management module with five levels demonstrating session fixation, predictable session IDs, missing logout invalidation, absent login rate limiting, and a secure management scenario.
• UI
  • Added interactive pages, styles, and client scripts for each level to exercise login/profile/logout flows and session tokens.
• Database
  • Added schema and seed data for session user accounts used by the module.
• Tests
  • Added a comprehensive test suite covering level behaviors and session lifecycle.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e3c22bbd-dbf2-45ac-86cf-b83cde263600

📥 Commits

Reviewing files that changed from the base of the PR and between a42b4a0 and 7f23412.

📒 Files selected for processing (3)

• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.js

🚧 Files skipped from review as they are similar to previous changes (3)

• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.js
• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java

---

📝 Walkthrough

Walkthrough

This PR implements a complete session management vulnerability module for VulnerableApp, adding five progressive security levels that demonstrate common session handling flaws: session fixation, predictable token generation, missing logout invalidation, absence of rate limiting, and secure (correct) session practices. The implementation spans backend service logic with in-memory session storage, REST endpoints, frontend UI templates for each level, database support, and comprehensive tests.

Changes

Session Management Vulnerabilities

Layer / File(s)	Summary
User Model and Authentication Repository src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionUser.java, src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionUserRepository.java, src/main/resources/scripts/SessionManagement/db/schema.sql, src/main/resources/scripts/SessionManagement/db/data.sql	SessionUser POJO holds user credentials (id, username, password, role); SessionUserRepository queries session_users by username/password; DB DDL creates the session_users table and DML seeds two users.
Session Management Service Implementation and Tests src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java, src/test/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementServiceTest.java	Service stores server-side sessions in a concurrent map and manages five vulnerability levels: L1 preserves client-supplied session IDs (session fixation), L2 generates predictable sequential IDs, L3 uses random UUIDs but demonstrates missing logout invalidation, L4 shows no login rate limiting, and L5 enforces per-username lockout and session regeneration. Profile and logout variants differ in server-side invalidation. Unit tests validate each level's behavior.
REST Controller Endpoints src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementVulnerability.java	Adds five controller endpoints (level1–level5) that dispatch actions (login, profile, logout) to the service and map level-specific request parameters and cookie handling.
Level 1 Frontend - Session Fixation UI src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.html, .css, .js	UI to preset a VAPP_SESSION_ID cookie, perform login, check profile, and logout to demonstrate session fixation behavior.
Level 2 Frontend - Predictable Session IDs UI src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.html, .css, .js	UI showing predictable sequential session IDs generated on login and token-based profile checking.
Level 3 Frontend - Missing Logout Invalidation UI src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.html, .css, .js	UI demonstrating logout that clears cookie but leaves server-side session valid for subsequent profile access.
Level 4 Frontend - No Login Rate Limiting UI src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.html, .css, .js	UI to exercise repeated login attempts without rate limiting to demonstrate brute-force vulnerability.
Level 5 Frontend - Secure Session Management UI src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.html, .css, .js	UI demonstrating secure behavior: optional pre-login token, session regeneration on successful login, per-username lockout after failures, and proper server-side invalidation on logout.
Metadata, Internationalization, and Configuration src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java, src/main/resources/i18n/messages.properties, src/main/resources/attackvectors/SessionManagementVulnerabilityPayload.properties, src/main/java/org/sasanlabs/configuration/VulnerableAppConfiguration.java	Adds enum constants for session vulnerabilities, i18n messages, payload descriptors, and extends DB initialization to run the session schema/data scripts at startup.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

first-time-contributor

Suggested reviewers

• preetkaran20

Poem

🐰 I found a cookie on the floor,
I set it, logged in, then I swore —
Some tokens stay, some tokens flee,
Five levels teach what not to be.
Hop, patch, and fix — secure we’ll be!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 3.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title "Added Session Management Vulnerability" is concise, clear, and accurately reflects the primary change: introducing a new session management vulnerability module with multiple levels.
Linked Issues check	✅ Passed	The PR successfully implements all four core objectives from issue #647: session fixation (CWE-384, LEVEL_1), predictable session IDs (CWE-330, LEVEL_2), missing logout invalidation (CWE-613, LEVEL_3), and no login rate limiting (CWE-307, LEVEL_4), with an additional secure variant (LEVEL_5).
Out of Scope Changes check	✅ Passed	All changes are within scope: session management implementation for four vulnerability levels, supporting infrastructure (database schema, UI templates, i18n), and tests. Password reset scenarios are explicitly deferred as noted in PR scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java`:
- Around line 167-179: The profile method currently calls
sessions.containsKey(sessionId) then sessions.get(sessionId), which can race
with logout and yield a null SessionUser; change profile to read the map once
into a local (SessionUser user = sessions.get(sessionId)), validate sessionId
(null/blank) and that user != null, and only then access
user.getId()/getUsername()/getRole(); update the method to return the same error
response when the retrieved user is null to make the lookup atomic and avoid
NPEs.
- Around line 126-145: level5Login currently accesses level5FailedAttempts with
the raw username which throws if username is null; add a null/empty guard at the
start of level5Login (before any getOrDefault or merge) and treat a missing
username the same as invalid credentials (return the same response structure:
message "Invalid credentials", failedAttempts omitted or zero,
rateLimitingApplied true) instead of touching level5FailedAttempts; ensure
subsequent calls to level5FailedAttempts.merge(username, ...) only run when
username is non-null (or use a non-null local key after the guard) so
SessionManagementVulnerability.level5SecureSessionManagement's optional username
won't cause a 500.
- Around line 149-151: The code currently removes an entry from the shared
sessions map using the untrusted incomingSessionId
(sessions.remove(incomingSessionId)), which allows a client to revoke other
users' sessions; in SessionManagementService locate the method that handles
login/session regeneration where incomingSessionId is used and remove the
unconditional sessions.remove(incomingSessionId) call, instead always generate
and store a fresh session id for the new login (and return the new token), and
only revoke or replace an existing session after verifying the incomingSessionId
belongs to the authenticated user (e.g., compare the stored session's user
identifier to the authenticated principal) before deleting from the sessions
map.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.css`:
- Around line 97-99: Replace the deprecated property "word-break: break-word" in
SessionManagement.css with a combination of a non-deprecated word-break value
and overflow-wrap to preserve wrapping: remove "word-break: break-word", add
"overflow-wrap: anywhere;" and set "word-break: normal;" (or another appropriate
non-deprecated value) in the same CSS rule where "white-space: pre-wrap;" was
defined so stylelint passes and wrapping behavior is preserved.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.css`:
- Around line 97-99: Replace the deprecated CSS property by removing
"word-break: break-word" and use "overflow-wrap: break-word" in the same rule
where "white-space: pre-wrap" is declared (look for the rule containing
white-space: pre-wrap; and the string "word-break: break-word"); update that
rule to include overflow-wrap: break-word to preserve wrapping behavior and
satisfy linters.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.css`:
- Line 98: The CSS rule using the deprecated declaration "word-break:
break-word;" in MissingLogoutInvalidation.css should be replaced with modern
wrapping properties; remove the deprecated line and add "overflow-wrap:
anywhere;" (and, if you need more aggressive breaking for long strings, consider
also adding "word-break: break-word" is deprecated so prefer "word-break:
break-all" only when appropriate), ensuring the selector that contained
"word-break: break-word;" now uses "overflow-wrap: anywhere;" to satisfy
stylelint and current spec.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.css`:
- Line 98: Replace the deprecated CSS rule "word-break: break-word" in
NoLoginRateLimiting.css with a standards-compliant wrapping rule: remove the
"word-break: break-word" declaration and add "overflow-wrap: anywhere" (and
optionally "word-wrap: break-word" for legacy support) in the same selector so
text wrapping behavior is preserved without using the deprecated property.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.css`:
- Line 98: The CSS contains the deprecated rule "word-break: break-word;" —
replace it with the standards-aligned property "overflow-wrap: anywhere;" (and
remove or set "word-break" to a normal value if present) so stylelint stops
flagging the rule and wrapping behavior remains the same; update the occurrence
of the "word-break: break-word;" declaration in SecureSessionManagement.css
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 410b828d-9adb-4288-9bd4-9c2afb9c12a8

📥 Commits

Reviewing files that changed from the base of the PR and between d1ca12f and a42b4a0.

📒 Files selected for processing (26)

• src/main/java/org/sasanlabs/configuration/VulnerableAppConfiguration.java
• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java
• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementVulnerability.java
• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionUser.java
• src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionUserRepository.java
• src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java
• src/main/resources/attackvectors/SessionManagementVulnerabilityPayload.properties
• src/main/resources/i18n/messages.properties
• src/main/resources/scripts/SessionManagement/db/data.sql
• src/main/resources/scripts/SessionManagement/db/schema.sql
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.css
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.html
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.css
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.html
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.css
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.html
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.css
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.html
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.js
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.css
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.html
• src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.js
• src/test/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementServiceTest.java

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard LEVEL_5 login before touching level5FailedAttempts.

SessionManagementVulnerability.level5SecureSessionManagement passes username as an optional request param, but level5FailedAttempts.getOrDefault(username, 0) and merge(username, ...) will throw when username is null because ConcurrentHashMap does not accept null keys. A request like LEVEL_5?action=login with a missing username currently returns 500 instead of a normal invalid-credentials response.

Proposed fix

     public ResponseEntity<GenericVulnerabilityResponseBean<Object>> level5Login(
             String username, String password, String incomingSessionId) {
+        if (username == null || username.isBlank() || password == null || password.isBlank()) {
+            return response("Invalid credentials", false);
+        }
+
         if (level5FailedAttempts.getOrDefault(username, 0) >= 3) {
             Map<String, Object> content = new LinkedHashMap<>();
             content.put("message", "Too many failed attempts");

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	public ResponseEntity<GenericVulnerabilityResponseBean<Object>> level5Login(
	String username, String password, String incomingSessionId) {
	if (level5FailedAttempts.getOrDefault(username, 0) >= 3) {
	Map<String, Object> content = new LinkedHashMap<>();
	content.put("message", "Too many failed attempts");
	content.put("rateLimitingApplied", true);
	content.put("loginBlocked", true);
	return response(content, false);
	}
	Optional<SessionUser> user =
	sessionUserRepository.findByUsernameAndPassword(username, password);
	if (user.isEmpty()) {
	level5FailedAttempts.merge(username, 1, Integer::sum);
	Map<String, Object> content = new LinkedHashMap<>();
	content.put("message", "Invalid credentials");
	content.put("failedAttempts", level5FailedAttempts.get(username));
	content.put("rateLimitingApplied", true);
	return response(content, false);
	}
	public ResponseEntity<GenericVulnerabilityResponseBean<Object>> level5Login(
	String username, String password, String incomingSessionId) {
	if (username == null || username.isBlank() || password == null || password.isBlank()) {
	return response("Invalid credentials", false);
	}
	if (level5FailedAttempts.getOrDefault(username, 0) >= 3) {
	Map<String, Object> content = new LinkedHashMap<>();
	content.put("message", "Too many failed attempts");
	content.put("rateLimitingApplied", true);
	content.put("loginBlocked", true);
	return response(content, false);
	}
	Optional<SessionUser> user =
	sessionUserRepository.findByUsernameAndPassword(username, password);
	if (user.isEmpty()) {
	level5FailedAttempts.merge(username, 1, Integer::sum);
	Map<String, Object> content = new LinkedHashMap<>();
	content.put("message", "Invalid credentials");
	content.put("failedAttempts", level5FailedAttempts.get(username));
	content.put("rateLimitingApplied", true);
	return response(content, false);
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java`
around lines 126 - 145, level5Login currently accesses level5FailedAttempts with
the raw username which throws if username is null; add a null/empty guard at the
start of level5Login (before any getOrDefault or merge) and treat a missing
username the same as invalid credentials (return the same response structure:
message "Invalid credentials", failedAttempts omitted or zero,
rateLimitingApplied true) instead of touching level5FailedAttempts; ensure
subsequent calls to level5FailedAttempts.merge(username, ...) only run when
username is non-null (or use a non-null local key after the guard) so
SessionManagementVulnerability.level5SecureSessionManagement's optional username
won't cause a 500.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t revoke server sessions based on an untrusted incoming token.

In the secure flow, any incomingSessionId is removed from the shared sessions map before the new session is created. If a client submits another user’s valid token here, this login path force-logs out that unrelated session. Regeneration should issue a fresh token for the new login, not treat the presented cookie as authorization to delete existing server-side state.

Safer direction

         level5FailedAttempts.remove(username);
         String sessionId = UUID.randomUUID().toString();
-        if (incomingSessionId != null && !incomingSessionId.isBlank()) {
-            sessions.remove(incomingSessionId);
-        }
         sessions.put(sessionId, user.get());

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java`
around lines 149 - 151, The code currently removes an entry from the shared
sessions map using the untrusted incomingSessionId
(sessions.remove(incomingSessionId)), which allows a client to revoke other
users' sessions; in SessionManagementService locate the method that handles
login/session regeneration where incomingSessionId is used and remove the
unconditional sessions.remove(incomingSessionId) call, instead always generate
and store a fresh session id for the new login (and return the new token), and
only revoke or replace an existing session after verifying the incomingSessionId
belongs to the authenticated user (e.g., compare the stored session's user
identifier to the authenticated principal) before deleting from the sessions
map.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make the session lookup in profile atomic.

profile checks sessions.containsKey(sessionId) and then does a second lookup with sessions.get(sessionId). If logout removes the entry between those calls, user becomes null and Line 174 dereferences it. Read once and validate the retrieved SessionUser instead.

Proposed fix

     public ResponseEntity<GenericVulnerabilityResponseBean<Object>> profile(String sessionId) {
-        if (sessionId == null || sessionId.isBlank() || !sessions.containsKey(sessionId)) {
+        if (sessionId == null || sessionId.isBlank()) {
             return response("No valid session found", false);
         }
 
         SessionUser user = sessions.get(sessionId);
+        if (user == null) {
+            return response("No valid session found", false);
+        }
         Map<String, Object> content = new LinkedHashMap<>();
         content.put("userId", user.getId());

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/java/org/sasanlabs/service/vulnerability/sessionManagement/SessionManagementService.java`
around lines 167 - 179, The profile method currently calls
sessions.containsKey(sessionId) then sessions.get(sessionId), which can race
with logout and yield a null SessionUser; change profile to read the map once
into a local (SessionUser user = sessions.get(sessionId)), validate sessionId
(null/blank) and that user != null, and only then access
user.getId()/getUsername()/getRole(); update the method to return the same error
response when the retrieved user is null to make the lookup atomic and avoid
NPEs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace deprecated word-break: break-word usage.

Use overflow-wrap + a non-deprecated word-break value to keep wrapping behavior and satisfy stylelint.

Suggested patch

 .session-response {
     margin: 0;
     padding: 8px;
     border: 1px solid black;
     border-radius: 4px;
     background: `#fff`;
     color: black;
     text-align: left;
     white-space: pre-wrap;
-    word-break: break-word;
+    overflow-wrap: anywhere;
+    word-break: normal;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	white-space: pre-wrap;
	word-break: break-word;
	}
	white-space: pre-wrap;
	overflow-wrap: anywhere;
	word-break: normal;
	}

🧰 Tools

🪛 Stylelint (17.12.0)

[error] 98-98: Deprecated keyword "break-word" for property "word-break" (declaration-property-value-keyword-no-deprecated)

(declaration-property-value-keyword-no-deprecated)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_1/SessionManagement.css`
around lines 97 - 99, Replace the deprecated property "word-break: break-word"
in SessionManagement.css with a combination of a non-deprecated word-break value
and overflow-wrap to preserve wrapping: remove "word-break: break-word", add
"overflow-wrap: anywhere;" and set "word-break: normal;" (or another appropriate
non-deprecated value) in the same CSS rule where "white-space: pre-wrap;" was
defined so stylelint passes and wrapping behavior is preserved.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use non-deprecated text wrapping properties.

word-break: break-word is deprecated; replace it with overflow-wrap to preserve behavior and pass linting.

Suggested patch

 .session-response {
     margin: 0;
     padding: 8px;
     border: 1px solid black;
     border-radius: 4px;
     background: `#fff`;
     color: black;
     text-align: left;
     white-space: pre-wrap;
-    word-break: break-word;
+    overflow-wrap: anywhere;
+    word-break: normal;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	white-space: pre-wrap;
	word-break: break-word;
	}
	.session-response {
	margin: 0;
	padding: 8px;
	border: 1px solid black;
	border-radius: 4px;
	background: `#fff`;
	color: black;
	text-align: left;
	white-space: pre-wrap;
	overflow-wrap: anywhere;
	word-break: normal;
	}

🧰 Tools

🪛 Stylelint (17.12.0)

[error] 98-98: Deprecated keyword "break-word" for property "word-break" (declaration-property-value-keyword-no-deprecated)

(declaration-property-value-keyword-no-deprecated)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_2/PredictableSessionId.css`
around lines 97 - 99, Replace the deprecated CSS property by removing
"word-break: break-word" and use "overflow-wrap: break-word" in the same rule
where "white-space: pre-wrap" is declared (look for the rule containing
white-space: pre-wrap; and the string "word-break: break-word"); update that
rule to include overflow-wrap: break-word to preserve wrapping behavior and
satisfy linters.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace deprecated word-break: break-word.

This value is deprecated and already flagged by stylelint; update wrapping rules to avoid lint failure and future CSS behavior drift.

Suggested fix

 .session-response {
@@
-    word-break: break-word;
+    word-break: normal;
+    overflow-wrap: anywhere;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	word-break: break-word;
	word-break: normal;
	overflow-wrap: anywhere;

🧰 Tools

🪛 Stylelint (17.12.0)

[error] 98-98: Deprecated keyword "break-word" for property "word-break" (declaration-property-value-keyword-no-deprecated)

(declaration-property-value-keyword-no-deprecated)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_3/MissingLogoutInvalidation.css`
at line 98, The CSS rule using the deprecated declaration "word-break:
break-word;" in MissingLogoutInvalidation.css should be replaced with modern
wrapping properties; remove the deprecated line and add "overflow-wrap:
anywhere;" (and, if you need more aggressive breaking for long strings, consider
also adding "word-break: break-word" is deprecated so prefer "word-break:
break-all" only when appropriate), ensuring the selector that contained
"word-break: break-word;" now uses "overflow-wrap: anywhere;" to satisfy
stylelint and current spec.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use non-deprecated text wrapping rule.

word-break: break-word is deprecated and may fail linting.

Suggested fix

 .session-response {
@@
-    word-break: break-word;
+    word-break: normal;
+    overflow-wrap: anywhere;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	word-break: break-word;
	.session-response {
	word-break: normal;
	overflow-wrap: anywhere;
	}

🧰 Tools

🪛 Stylelint (17.12.0)

[error] 98-98: Deprecated keyword "break-word" for property "word-break" (declaration-property-value-keyword-no-deprecated)

(declaration-property-value-keyword-no-deprecated)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_4/NoLoginRateLimiting.css`
at line 98, Replace the deprecated CSS rule "word-break: break-word" in
NoLoginRateLimiting.css with a standards-compliant wrapping rule: remove the
"word-break: break-word" declaration and add "overflow-wrap: anywhere" (and
optionally "word-wrap: break-word" for legacy support) in the same selector so
text wrapping behavior is preserved without using the deprecated property.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix deprecated CSS keyword in response wrapping.

Replace deprecated word-break: break-word to keep stylelint clean and standards-aligned.

Suggested fix

 .session-response {
@@
-    word-break: break-word;
+    word-break: normal;
+    overflow-wrap: anywhere;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	word-break: break-word;
	word-break: normal;
	overflow-wrap: anywhere;

🧰 Tools

🪛 Stylelint (17.12.0)

[error] 98-98: Deprecated keyword "break-word" for property "word-break" (declaration-property-value-keyword-no-deprecated)

(declaration-property-value-keyword-no-deprecated)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/resources/static/templates/SessionManagementVulnerability/LEVEL_5/SecureSessionManagement.css`
at line 98, The CSS contains the deprecated rule "word-break: break-word;" —
replace it with the standards-aligned property "overflow-wrap: anywhere;" (and
remove or set "word-break" to a normal value if present) so stylelint stops
flagging the rule and wrapping behavior remains the same; update the occurrence
of the "word-break: break-word;" declaration in SecureSessionManagement.css
accordingly.

Source: Linters/SAST tools

[codecov-commenter]

Codecov Report

❌ Patch coverage is 62.88660% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.11%. Comparing base (d1ca12f) to head (5b33af1).

Files with missing lines	Patch %	Lines
...sionManagement/SessionManagementVulnerability.java	0.00%	32 Missing ⚠️
...ty/sessionManagement/SessionManagementService.java	77.37%	20 Missing and 11 partials ⚠️
...ility/sessionManagement/SessionUserRepository.java	0.00%	6 Missing ⚠️
...labs/configuration/VulnerableAppConfiguration.java	0.00%	2 Missing ⚠️
...e/vulnerability/sessionManagement/SessionUser.java	92.30%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #653      +/-   ##
============================================
+ Coverage     54.69%   55.11%   +0.42%     
- Complexity      663      686      +23     
============================================
  Files            91       95       +4     
  Lines          3587     3781     +194     
  Branches        397      414      +17     
============================================
+ Hits           1962     2084     +122     
- Misses         1448     1509      +61     
- Partials        177      188      +11     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.