Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Session Fixation VS XSRF/CSRF

What defines the two respectively?

Session fixation is described as:

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.`

The Source: OWASP

Which seems rather close to what CSRF exploits. What distinguishes the two from eachother or is Session fixation simply a synonym or a branch coming from CSRF?

Would also like to mention that key terminology coming from the OWASP link I provided is almost identical to those mentioned in CSRF

like image 246
Juxhin Avatar asked Mar 18 '15 13:03

Juxhin


1 Answers

No, it is not a synonym. Session Fixation and CSRF are two different attacks.

Session fixation is a class of Session Hijacking. Attacker tries to steal, guess or fix session id, then use it and log in on target website as victim. It could be done many ways. Basic protection is if app uses httpOnly flag, does not transfer session id in url (session.use_trans_sid=0, session.use_only_cookies=1) and takes care of XSS vulnerabilities.

CSRF is another kind of attack. Attacker does not want victim session id but rather causing the victim to perform an action on server where victim is properly logged in. So the victim performs malicious action itself but does not know about it. How? Victim loads a page somewhere that contains malicious link in html (ie. img src) or target website contains XSS vulnerability and it is good point for loading external malicious javascript and issuing ajax requests.

Standard protection is CSRF token. It is another token (next of session id) that is included in each sensitive request. Attacker should not know current CSRF token for particular user and can not prepare malicious link or ajax request. CSRF token should be unique for each session. Sensitive requests are form submissions, deleting/setting of something (permission etc.). So app does not have to protect absolutely each request. It also is not good idea to transmit CSRF token in URL.

Look at OWASP for more info to CSRF.

like image 186
kba Avatar answered Oct 09 '22 23:10

kba