What is the session fixation attack?
When a user authenticates himself to a server, a session cookie is placed on his computer. For subsequent requests for the session, the information kept in the cookie is used.
In the session fixation attack, an attacker exploits security vulnerabilities in the web application and fixes the session key of the user to some predefined value. As a result, the attacker can later log in to the server and impersonate the user to steal sensitive information and perform more attacks.
How does the session fixation attack work?
Let’s understand how the attacks are performed with a couple of examples.
Example 1:
- The attacker finds out a web application has security vulnerabilities. Let’s say the web application server accepts any session identifier. It accepts session identifiers from query strings, and does not do security validation properly.
- The attacker now uses some social engineering (What is social engineering?) techniques and sends a victim a link containing the predefined session key. He convinces the victim to click on the link, for example, by saying, “It’s a link to some new features of the bank.”
- The victim clicks on the link, and a login window appears.
- The victim logs in, and the session key is set with the value the attacker provided.
- The attacker can now log in and get unlimited access to the victim’s account. The attacker can now steal sensitive information or perform more attacks.
Example 2:
- The attacker visits a website. The server assigns a session key to the unauthenticated user. The attacker notes down the session key.
- The attacker sends a link containing the session key to the victim using similar social engineering techniques.
- The victim clicks on the link. A login screen opens, and the victim logs in to the server.
- The vulnerable server assigns the same session key to the authenticated user. So, the victim’s session key is set to the session key sent by the attacker.
- The attacker can now log in to the server and impersonate the victim.
Please note that here, the attacker is using a server-generated session ID instead of a random one. So, even if a server accepts only server-generated session keys, it is not safe from session fixation …
0 Comments