Session Hijacking Unique Technique
This is my first report. I am not sure about this bug triage but I will definitely sure this bug is more chances through a bounty and many more let's do it Session hijacking is also known as session fixation but in terms used as session fixation.
What is a Session Fixation?
Session fixation is a web application attack in which attackers can trick a victim into authenticating in the application using the Session Identifier provided by the attacker.
In a simple way, Session hijacking is an attack where a user session is taken over by an attacker. Commonly After Logout time, the session should destroy, and then a new session should be created But in your application, it is not possible and the same session cookie is their login and logout functionality.
- There is only one account in different browsers chrome and firefox.
- For example www.xyz.com I will sign up for one account that is the Chrome browser I filled the details first and last name, password, and confirm password, city, country, phone number, etc and log in now.
3. www.xyz.com same account is created in the firefox browser and I filled the details the same as chrome browser just like as a first and last name, password, and confirm password, city, country, phone number, etc and log in now.
4. Both login into different browsers and I will change for a one-account that is chrome browser that is first and last name, phone number, and change password.
5. Changed successfully in a chrome browser and just log out then moves another browser that is firefox and just Refresh the page and I have seen now changes successfully and it's like a boom!
6. This is a Session Hijack and this is a unique method.
If someone asks what is the impact?
The impact is Session not expired in the future and this bug is critically but many Bug Bounty platforms not considered as critical it shows low and medium. I hope you got the idea of Session Fixation Attack. If you like it please share it with your friends
Thanks for reading