Session Fixation

Security Misconfiguration

Category: Security Misconfiguration

Severity: Medium

Description

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesnโ€™t assign a new session ID, making it possible to use an existing session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victimโ€™s browser use it.

Once the attacker has a valid session ID, they can trick the victim into using that session ID.

This can be done by sending the victim a link that contains the session ID or by embedding the session ID in a malicious email.

Impact

  • Account Takeover

Remediation

While session fixation attacks are not easy to perform except in the most trivial cases, they are also not easy to completely eliminate. Prevention depends on treating the session ID as highly sensitive data and combining multiple safeguards as a defense-in-depth session management strategy to ensure that attackers canโ€™t access or guess the identifier. The application must also be careful about the values it generates and accepts.

Here is a non-exhaustive list of common techniques for session fixation protection:

  • Use cookies marked as HttpOnly and Secure to set and store session identifiers

  • Never use GET or POST variables to transmit session IDs

  • Accept only server-generated IDs

  • Set a time limit for old session IDs

  • Generate a new session ID for each request

Reference

https://acrossecurity.com/papers/session_fixation.pdf

https://owasp.org/www-community/attacks/Session_fixation

Last updated