What is Session Fixation?
Step 2: An attacker can provide this session_id to the victim with the login URL as shown in the following example:
What is Session Fixation?
Session Fixation is used by an attacker when it is not possible to steal the session_id. Session Fixation allows an attacker to fix the session of the victim. Session Fixation may possible when new session is not created for users on authentication.
How does Session Fixation work?
The first step for Session Fixation for an attacker is to obtain a valid session_id for himself. The next step is to enforce the victim to authenticate using that session_id. Once the victim uses the session_id provided by the attacker, the attacker can take over the victim's account.
What attacker can do by exploiting Session Fixation?
As explained earlier, an attacker can fix the session_id of the victim. After successful exploitation, an attacker can have access to the victim's session_id and can perform any action on behalf of the victim. It can be very severe and can lead to DoS or account takeover.
Example 1: When the server is not regenerating a new token on authentication.
Step 1: An attacker can obtain a valid session_id by login to the application. Suppose the session_id obtained by an attacker is "xyz123".
Step 2: An attacker can provide this session_id to the victim with the login URL as shown in the following example:
Step 2: An attacker can provide this session_id to the victim with the login URL as shown in the following example:
https://www.anyrandomsite.com/login.php?session_id=xyz123
https://www.anyrandomsite.com/login.php?session_id=xyz123
Step 3: The victim will use his username and password for the login and with credentials, the browser will send the session_is fixed by the attacker as shown in the following example:
Step 3: The victim will use his username and password for the login and with credentials, the browser will send the session_is fixed by the attacker as shown in the following example:
POST DATA:
username=victim&password=victimpassword&session_id=xyz123
POST DATA:
username=victim&password=victimpassword&session_id=xyz123
step 4: On successful login, the session will be fixed for the victim and an attacker may have access to the victim's account.
Example 2: Exploiting client-side vulnerabilities like XSS.
An attacker can exploit client-side vulnerabilities like XSS as shown in the following example:
step 4: On successful login, the session will be fixed for the victim and an attacker may have access to the victim's account.
An attacker can exploit client-side vulnerabilities like XSS as shown in the following example:
Example 2: Exploiting client-side vulnerabilities like XSS.
http://www.anyrandomsite.com/page.php?q=<script>document.cookie="session_id=xyz123";</script>
http://www.anyrandomsite.com/page.php?q=<script>document.cookie="session_id=xyz123";</script>
As shown in above example, an attacker can set the session_id for the user using script through XSS.
As shown in above example, an attacker can set the session_id for the user using script through XSS.
Example 3: Exploiting code injection via a meta tag.
An attacker can exploit meta tag injection to fix a session_id as shown in the following example:
Example 3: Exploiting code injection via a meta tag.
An attacker can exploit meta tag injection to fix a session_id as shown in the following example:
http://www.anyrandomsite.com/<meta http-equiv=Set-Cookie content="session_id=xyz123">
http://www.anyrandomsite.com/<meta http-equiv=Set-Cookie content="session_id=xyz123">
Example 3: Exploiting vulnerabilities like CRLF injection:
An attacker can exploit CRLF vulnerability to inject a header in the HTTP response. Let's consider the following request:
Example 3: Exploiting vulnerabilities like CRLF injection:
http://www.anyrandomsite.com/redirect.php?origin=dashboard
http://www.anyrandomsite.com/redirect.php?origin=dashboard
Let's assume above request has a response as shown in the example below:
Let's assume above request has a response as shown in the example below:
HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
An attacker can apply CRLF payload with an extra header as shown in the following example:
An attacker can apply CRLF payload with an extra header as shown in the following example:
http://www.anyrandomsite.com/redirect.php?origin=dashboard%0d%0aSet-Cookie:%20session_id=xyz123%0d%0a
http://www.anyrandomsite.com/redirect.php?origin=dashboard%0d%0aSet-Cookie:%20session_id=xyz123%0d%0a
Above URL may result into response below:
Above URL may result into response below:
HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Set-Cookie: session_id=xyz123
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Set-Cookie: session_id=xyz123
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: redirect.php?origin=dashboard
Set-Cookie: session_id=xyz123
Connection: close
Content-Length: 121
<head><title>Object moved</title></head>
As we can see in above example a session is fixed for the victim by an attacker.
How to prevent Session Fixation?
- Generate a new session on authentication.
- Set HTTPOnly and Secure flags for sensitive cookies.
- Using CSRF Tokens for each sensitive request.
As we can see in above example a session is fixed for the victim by an attacker.
How to prevent Session Fixation?
Following steps to be followed to prevent the Session Fixation:
- Generate a new session on authentication.
- Set HTTPOnly and Secure flags for sensitive cookies.
- Using CSRF Tokens for each sensitive request.
0 Comments