Introduction to Session Fixing

Introduction

Web session security is mainly focused on preventing an attacker from obtaining a session ID issued by the web server to the user’s
browser. But this approach ignores one possibility. That is the probability of “issuing” a session ID to the user’s browser by the attacker. So eventually forcing the browser into using a chosen session. These type of an attack is called a session fixation attack

In a session fixation scenario, the attacker uses the possibility of issuing a session id to the possible victim. So this eliminates the need for obtaining a session id that user has already logged in. The attacker will fix the session id on the target server before even victim logs in. This is in contrast with the attack session hijacking. In the session, hijacking attacker will obtain the session id of a current logged in user and may do illegal tasks pretending to be the current user.

The as we have a basic idea what is session fixation, let’s identify ho this attack works.

How Session fixation works.

There are mainly three parts in this attack. They are as follows
1) Session Setup
2) Session Fixation
3) Session Entrance

Session Fixation Steps

1) Session Setup

Session setup means starting a session in the target server and obtaining the trap session id. Then this will be eventually used to send to the victim to use unknowingly. According to the session management way in the server attacker may have to refresh the session timely. Because sessions are built by the server in a time-based manner. So eventually sessions will face a timeout.

2) Session Fixation

The attacker will choose a way to safely transport the trap session id to the victim in this step. There are 3 ways to do that.

i) Using the URL

The victim needs to enter the target server using a hyperlink sent by the attacker. Even though this method is simple, the practicality of it is less obvious. Because this method is highly detectable. Example for a this types of scenario as follows

http://website.dom/login.jsp?session=1234

ii) Using the session id in a hidden form field.

In this version of fixation, the attacker may have to develop a look a like form of the legitimate website. The use of this form to lure the victim. This form must also look like that it’s coming from the legitimate server. This is also a less practical version of fixation.

iii) Using the session id in a cookie

Cookies are the popular session ID transport mechanism, partly also due to their security in comparison to URL arguments and hidden form fields. But cookies provide the most convenient and effective and durable means of exploiting session fixation vulnerabilities. What the attacker needs to do is install the trap session ID cookie on the user’s browser.

Following two methods explain how we can perform this session fixation method.

A) Issuing a cookie using a client-side script

Most browsers support client-side scripting, usually in JavaScript language. JS will provide a way for the web server to issue a cookie to the browser by setting the property document.cookie to the desired value. An exmple for this scenario as follows.

JavaScript: document.cookie=”sessionid=1234”;

What the attacker wants is to give a desired trap session id from the target web server to the user’s browser. This can be done using a well-known and very widespread vulnerability called the “cross-site scripting”.

Before we identify how this attack works let’s understand about domain cookies.

Domain cookies are cookies with their domain attribute set to the issuing server’s domain. This attribute instructs the browser to not only send the cookie back to the issuing server but also to any other server in the specified domain. Domain cookies can expand the attack area from the target server to the entire target server’s domain.

Session Fixation using domain cookies

Attacker will send the forged link to the user(eventual victim). The link will look like this.

An attacker exploits a cross-site scripting vulnerability on server www.worldbank.com for generating a cookie-issuing script that sets a domain trap session ID cookie according to the attacker’s interest.

1. Attacker provides such cookie-issuing URL to the user’s browser
2. User will be tricked into go to that URL
3. Then the user’s browser will accept a cookie from the server
4. As it is a domain cookie it’ll be accepted by any server in the domain .worldbank.com
5. After the user’s successful login, the attacker will be able to access his bank account using the fixed session ID.

B)Using a <meta> tag

This is a code injection method. The attacker will embed the tap session id inside a meta tag and will be send to the user in a URL. This method can be used to bypass security system that only check <script> tag for XSS. These meta tags are also processed by the browser anywhere even though they are mainly found between <head> tags.

3) Session Entrance

Session Entrance is the 3rd step in the session fixation attack.
After the user has logged into the trap session and before he has logged out, the attacker can enter the trap session and assume the user’s identity. In many systems, the attacker will be able to use the session without the user noticing anything suspect. In case the user doesn’t log out of the system, the attacker has an opportunity to keep the session alive for a long time.

As we have understand how this attack works, let’s see what are the measures that modern web technologies have taken against them.

Defense against Session Fixation

1. Preventing logins to a chosen session :- In any session fixation scenario, the victim uses a chosen session id rather than using a new session id provided by the server. Web applications must deny any session id’s that are presented by the web browser at the login.
2. Preventing the attacker from obtaining a valid session id :- If possible, a web application on a system should only issue session IDs of newly generated sessions to users after they have successfully authenticated. The main cause of session fixation is the reason that providing the login form with the session id. This should be prevented. User must get a session id after they pass the authentication process.

Summary

The Session Fixation attack is similar to session hijacking, which steals the established session between the client and the web server after the user logs in. But the session fixation attack fixes an established session on the victim’s browser, so the attack starts before the user logs in. Session Fixation provides a much wider window of opportunity than would be provided by stealing a user’s session ID after they have logged into an application. Session Fixation is exploiting a limitation in the way a web application manages session IDs, specifically not assigning a new session ID with each session. The attack consists of obtaining a valid session ID (e.g., by connecting to the application), inducing a user to authenticate with that session ID, and then hijacking the user-validated session.