Session fixation

Session Fixation

Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier.

Exploitation

1. Attacker Logins Website to Get the Session

An attacker need to login to a legitimate website then get the session value.

Cookie: sessid=abcdef

2. Attacker Sends the Session Value to Victim

There are various way to send the attacker’s session value. For example,

• Send email.

• Predict a session value.

• Eavesdrop a session using packet sniffer such as Wireshark.

• XSS

  <script>document.cookie = ATTACKERS_SESSION_ID</script>

3. Victim Logins with Attacker’s Session

If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website.

References

• OWASP

Steps to reproduce

1. Open example.com/login.

2. Open browser devtools.

3. Get value for SESSION cookie.

4. Open example.com/login in the incognito tab.

5. In the incognito tab, change cookie value to the one, obtained in step 3.

6. In the normal tab (the one from steps 1-3) log in as any user.

7. Refresh page in the incognito tab.

Result

You are now logged in the incognito tab as user from step 6 as well.