Web Application Security Series: Session Fixation Attack Scenario
A Session Fixation attack allows an attacker to hijack a valid user session. The attacker explores any identified weaknesses in the way a Web application manages users’ session IDs, more specifically the session management issues of a vulnerable Web application. In this short and sweet article, I demonstrate a Session Fixation attack scenario and draw some vital lessons. Enjoy reading!
A typical scenario of Session Fixation attack goes as follows;
- The attacker visits a Web application which has inadequate session management and gets a valid session token.
- The attacker prepares a link to the application which contains the session token and sends the link to the victim (e.g. through a phishing email or via instant messenger). Since the link is to a trusted website, the victim suspects nothing and clicks it.
- The victim logs into the vulnerable Web application using his/her credentials.
- The vulnerable Web application identifies the victim but does not issue a unique session ID.
- Thereafter, when the attacker visits the vulnerable Web application with the same session ID, he/she technically takes over the victim’s activity on the Application.
- The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.
- Session fixation can be achieved remotely, which bypasses the hurdle of using a shared computer to complete the attack.
- To defend against session fixation, ensure your Web application developers code their applications so they assign a different session cookie immediately after a user authenticates to the application.