Skip to main content

17. How do you usually discover Shiro vulnerabilities?

Indicators

  • When login fails, the Set-Cookie header often contains rememberMe=deleteMe.
  • Passive scanning tools like ShiroScan.

Detailed Behaviour

  • Without login: Request cookie has no rememberMe; response Set-Cookie lacks deleteMe.
  • Login failure: Response always contains rememberMe=deleteMe.
  • Login success without “Remember Me”: Response Set-Cookie contains rememberMe=deleteMe, subsequent requests lack rememberMe.
  • Login success with “Remember Me”: Response Set-Cookie contains rememberMe=deleteMe and a rememberMe field; all subsequent requests include rememberMe.