Session Fixation Attacks

January 24, 2008

"Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity. " – The Web Application Security Consortium Threat Classifications Project

I recently came across an application which allows you to fix the Session ID Value in the URL and pass it to the victim. Thus when victim logs into the application by accessing that URL, his session gets assigned that particular Session-ID. However, the application on successful logon also sets cookie in user's browser(which is not vulnerable to session fixation). Here, even though an attacker knows the session-ID(in the URL), he cannot directly impersonate the victim, as he still doesnot have valid cookies.

In the above scenario, as the attacker now knows the session-ID, the application becomes vulnerable to Cross Site request Forgery(XSRF). Now exploiting this issue for an unauthenticated user(victim), will be trivial. However, if the user is already authenticated(has a session-id which attacker doesnot know) it will be difficult to exploit it.

One of the ways, i can think of exploiting this issue for an authenticated user will be as follows:-

If the application allows you to post links, one can post links to a website where he access to web logs, and then grab the session-id from the HTTP-Referrer in the web logs. 

However, application may not always allow an attacker to post links, and thus I would be interested in knowing, other ways to exploit this issue for the view point of a victim who is already logged into the application.

Also, to be noted that in the above scenario, session fixation will be the only means to carry out a Cross Site Scripting Attack. As otherwise without knowing the victim's unique session-id XSS attack will fail. Again, exploiting XSS this way, will be easy if the victim is unauthenticated. In case of victim having a valid session, attacker first needs to grab the session-id first and then exploit the XSS vulnerability.


Leave a Reply

Your email address will not be published. Required fields are marked *