Session fixation vulnerabilities occur when:
- A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user.
- An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session.
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier, giving the attacker access to the user’s account through the active session.
Furthermore, the issue described above is problematic for sites that issue a session identifier over HTTP and then redirect the user to a HTTPS log in form. If the session identifier is not reissued upon authentication, the attacker can eavesdrop and steal the identifier and then use it to hijack the session.
Send a request to the site to be tested:
GET www.example.com
The application sets a new session identifier (e.g. JSESSIONID) for the client.
They will obtain the following answer:
HTTP/1.1 200 OK
...
Set-Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1; Path=/; secure
...
Authenticate to the application with POST on HTTPS.
POST https://www.example.com/authentication.php HTTP/1.1
..
Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1
...
Name=user1&wpPassword=Abc123&wpLoginattempt=Log+in
The tester observes the following response from the server:
If no new cookie has been issued upon a successful authentication, the tester knows that it is possible to perform session hijacking.
Result Expected: The tester can send a valid session identifier to a user (possibly using a social engineering trick), wait for them to authenticate, and subsequently verify that privileges have been assigned to this cookie.
Issue description
Title | |
Description | |
Steps to reproduce | |
Remediation | The application should always first invalidate the existing session ID before authenticating a user, and if the authentication is successful, provide another sessionID. |
French
Title | Fixation de session |
Description | L’attaque par fixation de session permet à une personne mal intentionnée de déterminer l’identifiant de session d’une autre personne. En connaissant le jeton de session d’un utilisateur, il est possible de l’utiliser et de récupérer sa session pour soi. Cette attaque repose sur le fait que, lorsqu’un utilisateur s’authentifie, un nouveau jeton ne lui est pas attribué, ce qui rend possible l’utilisation de son jeton. |
Steps to reproduce | |
Remediation | Il est recommandé d’émettre un nouveau jeton de sessions lorsque l’authentification est effectuée avec succès et d’invalider l’ancien jeton. |