Session Fixation is a hacking technique that explores limitations in the application’s Session ID (SID) management. While authenticating a user, the application doesn’t assign a new SID, making it possible to use an existing SID for the attack.
This attack consists of:
- Obtaining a valid Session ID (SID).
- Tricking the victim into authenticating himself with the aforementioned SID.
- Using the SID to impersonate the victim in the web session.
This hacking methodology is basically the taking over of the victim’s session with the web server after he’s logged in. Common techniques include:
- Session Token in the URL Argument – This common case of Session Fixation involves the attacker sending the victim a malicious URL that contains a valid SID of the vulnerable website. Once the victim accesses the website and authenticates via the malicious URL, his session can be used by the attacker.
- Session Token in a hidden form field – Although less common than the previously mentioned method, here the malicious attacker must trick the victim into filling a crafted login form on an attacker controlled page. This methodology can also be implemented via an HTML formatted email.
- Session ID in a cookie – This method exploits the browser’s ability to execute client-side scripting. The malicious attacker can use different techniques to execute the Session Fixation attacks – Cross-Site Scripting (XSS) / Client-side script, tag or HTTP header response.
- The malicious attacker connects to the web server.
- The web server generates a SID (1234) and issues it to the attacker.
- The attacker then crafts a malicious URL containing the SID and uses various techniques (i.e – phishing) to trick the victim into clicking the URL.
- The victim clicks on the URL. The server, seeing that an SID already exists, uses it in response to the request.
- The user logs into the website with his username and password.
- The attacker now has an authenticated session and can interact with the vulnerable web server on the victim’s behalf.
Secure application development is an effective way to combat these kinds of vulnerabilities. Developers are advised to take the following steps:
- Invalidate any existing session identifiers prior to authorizing new sessions.
- Timeout user sessions to limit the malicious attacker’s window of opportunity.
- Do not include SIDs in URLs. It’s an unsafe practice.
CxSAST scans the application source code and warns the user if it finds sessions without any session invalidations in place.