Web Application Security Series: Session Fixation Attack Scenario

A Session Fixation attack allows an attacker to hijack a valid user session. The attacker explores any identified weaknesses in the way a Web application manages users’ session IDs, more specifically the session management issues of a vulnerable Web application. In this short and sweet article, I demonstrate a Session Fixation attack scenario and draw some vital lessons. Enjoy reading!

A typical scenario of Session Fixation attack goes as follows;

  1. The attacker visits a Web application which has inadequate session management and gets a valid session token.
  2. The attacker prepares a link to the application which contains the session token and sends the link to the victim (e.g. through a phishing email or via instant messenger). Since the link is to a trusted website, the victim suspects nothing and clicks it.
  3. The victim logs into the vulnerable Web application using his/her credentials.
  4. The vulnerable Web application identifies the victim but does not issue a unique session ID.
  5. Thereafter, when the attacker visits the vulnerable Web application with the same session ID, he/she technically takes over the victim’s activity on the Application.
A Session Fixation Attack Scenario Process

Key Lessons:

  1. The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.
  2. Session fixation can be achieved remotely, which bypasses the hurdle of using a shared computer to complete the attack.
  3. To defend against session fixation, ensure your Web application developers code their applications so they assign a different session cookie immediately after a user authenticates to the application.