Skip to main content

SESSION FIXATION

  • What is Session Fixation ?
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.


The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

  • Attack Scenario :
1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.

2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.

3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.

4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

  • Attack Process :
1. Session Setup:

First, the attacker either sets up a trap session on the target server and obtains that session’s ID, or selects a arbitrary session ID to be used in the attack. In some cases, the established trap session needs to be maintained by repeatedly sending requests referencing it to avoid idle session timeout.


2. Session Fixation:

Next, the attacker needs to introduce her session ID to the user’s browser, thereby fixing his session.

3. Session Entrance:

Finally, the attacker has to wait until the user logs in to the target server using the previously fixed session ID and then enter the user’s session.

  • Attack Example :
1. First, the attacker, who in this case is also a legitimate user of the system, logs in to the server and is issued a session ID 1234.

2. Then he sends a hyperlink http://online.worldbank.dom/login.jsp?sessionid=1234 to the user, trying to lure him into clicking on it.

3. The user clicks on the link, which opens the server’s login page in his browser.



4. Upon receipt of the request for login.jsp?sessionid=1234, the web application has established.

5. Finally, the user provides his credentials to the login script and the server grants him access to his bank account.

6. At this point, knowing the session ID, the attacker can also access the user’s account via account.jsp?sessionid=1234.

  • Countermeasures :
1. Web applications must ignore any session ID provided by the user’s browser at login and must always generate a new session to which the user will log in if successfully authenticated.

2. If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated.

3. Session identifiers in URL (GET or POST variables) are not recommended as they simplify this attack. The session identifier on most modern systems is stored by default in an HTTP cookie, which has a moderate level of security. Use of the SSL/TLS session identifier is very secure.




Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...
Labels:

Comments

Post a Comment

Popular posts from this blog

SESSION HIJACKING

What is Session Hijacking ? Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress. TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. Techniques : There are mainly three methods used to perpetrate a session hijack. These are: 1. Session Fixation: The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts...
Post a Comment
Continue reading »

Major Cyber Attacks, Ransomware Attacks & Data Breaches — August 2025

  📌 Executive Summary August 2025 witnessed one of the most turbulent months in cybersecurity, with insurance giants, luxury fashion brands, airlines, and tech leaders like Google falling victim to attacks. Ransomware : Healthcare, energy, and government agencies remained prime targets. Data Breaches : Customer records in the millions exposed from airlines, fintech, and retail. New Malware & Vulnerabilities : Emerging strains like DeepHound RAT and new critical flaws in Microsoft Exchange raised red flags. Key Trend : Threat actors continue to shift toward supply chain attacks and extortion-focused ransomware campaigns  Timeline of Major Cyber Incidents — August 2025 🔒 Ransomware Attacks in August 2025 Ransomware continued to dominate the cyber threat landscape: Insurance & Finance : A major global insurer suffered system-wide downtime due to the BlackBasta group . Healthcare : Hospitals in the US and Europe disrupted by LockBit 4.0 , delayi...
Post a Comment
Continue reading »

Next-Gen Infrastructure: The Key to Unlocking Business Success

Key points Artificial Intelligence (AI)  is driving the need for next-generation data centers that can support high-performance computing , low-latency data transfer , and sustainable operations . AI data centers  are specifically designed to handle complex AI workloads , featuring specialized hardware accelerators , advanced cooling systems , and high-performance storage . Hyperscale cloud providers ,  neocloud providers , and  colocation specialists  are key players in the AI data center landscape, each offering unique advantages and challenges. As I report from the world of technology,  Artificial Intelligence (AI)  is moving at an unprecedented pace, with innovations expanding its capabilities at a rapid rate. This has significant implications for  enterprise architecture , as existing data center capabilities are no longer sufficient to support the demands of AI workloads. According to sources, the rapid evolution of AI requires  next-ge...
Post a Comment
Continue reading »