Research on Session Vulnerability
For Top 50 Enterprise
SaaS Companies
Research Background / Methodology / Demographics / Outcomes / Key takeaways
Research Background
Modern web applications
are blind after login
However strong the authentication, after login many applications still rely on bearer tokens, and other transferable artifacts as proof of identity.
This creates a critical blind spot. If an authenticated session is stolen, an attacker can impersonate a legitimate user and bypass any security control.
Question is: how widespread is this vulnerability,
across Enterprise SaaS companies?
We selected approx. 50 of the world’s top Enterprise SaaS companies.
Organization with the most mature identity and security stacks.
We then performed the most basic form of in-session attack: session replay.
Results speak for themselves.
Methodology
We selected ~50 among
the best global Enterprise
SaaS companies
Sample Inclusion Criteria ↓
SIZE/REPUTATION
SaaS unicorns; Public companies; Top-ranked 2025 G2 Enterprise SaaS award winners (see Demographics).
ACCESSIBILITY
Each SaaS had to offer a free plan or free trial.
Vulnerability Testing ↓
We created a legitimate account,
and enabled strong authentication.
A basic session replay attack was
performed: We copied the cookies from an authenticated session and pasted them into a second, unknown browser.
We measured four key outcomes:
Demographics
The sample consists
of 48 Enterprise SaaS
SIZE/REPUTATION
5 DIFFERENT BUSINESS DOMAINS
DISTRIBUTION BY DOMAIN
/ USERS
More than half
of SaaS in the sample accounts
for more than 10M users, each.
/ COMPANIES (ANY SIZE)
More than 40% of the sample
serves more than 50,000 orgs,
from SMBs to Enterprises.
/ FORTUNE 500 ENTERPRISES
More than 80% of the sample
have an established footprint
among Fortune 500 enterprises.
Outcomes
We could perform session replay in more than 80% of the selected SaaS companies
In all the applications we breached via session replay, we could both run parallel sessions and perform all the activities our account allowed us to, while remaining completely undetected. Some key critical actions are listed below.
KEY CRITICAL ACTIONS
Deleted an entire
code library
Development
Uploaded a contract
and signed it
Productivity
Extract all workspace confidential data via chat
Artificial intelligence
Approximately 10% of tested SaaS applications allowed session persistence,
even after the legitimate user logged out.
Without logout, replayed sessions could persist undetected for extended periods. In some cases, cookies had no clear expiry unless manually modified.
Even short persistence windows create meaningful risk.
For high-privilege accounts, default session lifetimes of 4–6 hours still provide enough time for escalation or lateral movement.
Detailed Results
EXPLORE EACH RESULT BY SAAS
Key Takeaways