Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can you give me an example of a session fixation attack?

Tags:

security

session-fixation

I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?

like image 240
Tony Avatar asked Jul 13 '09 21:07

Tony

People also ask

What is session fixation in security?

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

What is an example of session hijacking?

The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguise itself as one of the authenticated users.

What defense works best against session fixation?

Creating a new session identifier upon login is the most critical defense against session fixation attacks. Instead of authenticating the user's existing (pre-authenticated) session identifier, the application should grant the user a new, authenticated session identifier.

What is impact of session fixation?

Impact. A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

1 Answers

I don't usually like to post links to Wikipedia, but here's a link to a very good explanation on Wikipedia...

Here's the meat of it:

  • Alice has an account at the bank http://unsafe/. Unfortunately, Alice is not very security savvy.

  • Mallory is out to get Alice's money from the bank.

  • Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.

    1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
    2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
    3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
    4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.
like image 97
RichieHindle Avatar answered Oct 20 '22 05:10

RichieHindle
Sign in to Comment

Related questions

What is the simplest license key generator I can develop myself in 1 day? [closed]
Is it possible to identify a hash type?
WARNING: Your version of git is 1.9.3. has serious security vulnerabilities
How secure is laravel 5.1? [closed]
Is this scenario secure?
Javascript in the address bar - is this malicious?
Open source web app more prone to hacking?
How to prevent html/JavaScript code modification
Is python's random number generation easily reproducible?
What percentage of my time will be spent in user input verfication during web development?
Does using SecureZeroMemory() really help to make the application more secure?
Missing directive or assembly reference using WMI ManagementObjectSearcher?
Display error messages in Spring login
Why not use email address in unsubscribe link
dcomcnfg functionality programmatically
Java Security - Missing lib/security directory
How to hash a password?
Lisp data security/validation
C++ Safe Exception Handling
PHP MySQL $_GET Hack prevention [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!