Session Fixation is a hacking technique that explores limitations in the application’s Session ID (SID) management. While authenticating a user, the application doesn’t assign a new SID, making it possible to use an existing SID for the attack.
This attack consists of:
This hacking methodology is basically the taking over of the victim’s session with the web server after he’s logged in. Common techniques include:
Secure application development is an effective way to combat these kinds of vulnerabilities. Developers are advised to take the following steps:
CxSAST scans the application source code and warns the user if it finds sessions without any session invalidations in place.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.