Session Fixation – Cheat Sheet, Attack Examples & Protection

Session Fixation is a hacking technique that explores limitations in the application’s Session ID (SID) management. While authenticating a user, the application doesn’t assign a new SID, making it possible to use an existing SID for the attack.

 

What is Session Fixation?

This attack consists of:

  • 1. Obtaining a valid Session ID (SID).
  • 2. Tricking the victim into authenticating himself with the aforementioned SID.
  • 3. Using the SID to impersonate the victim in the web session.

 

This hacking methodology is basically the taking over of the victim’s session with the web server after he’s logged in. Common techniques include:

 

  • Session Token in the URL Argument – This common case of Session Fixation involves the attacker sending the victim a malicious URL that contains a valid SID of the vulnerable website. Once the victim accesses the website and authenticates via the malicious URL, his session can be used by the attacker.
  • Session Token in a hidden form field – Although less common than the previously mentioned method, here the malicious attacker must trick the victim into filling a crafted login form on an attacker controlled page. This methodology can also be implemented via an HTML formatted email.
  • Session ID in a cookie – This method exploits the browser’s ability to execute client-side scripting. The malicious attacker can use different techniques to execute the Session Fixation attacks – Cross-Site Scripting (XSS) / Client-side script, <META> tag or HTTP header response.

 

Session Fixation example

 

Session Fixation

 

  1. The malicious attacker connects to the web server.
  2. The web server generates a SID (1234) and issues it to the attacker.
  3. The attacker then crafts a malicious URL containing the SID and uses various techniques (i.e – phishing) to trick the victim into clicking the URL.
  4. The victim clicks on the URL. The server, seeing that an SID already exists, uses it in response to the request.
  5. The user logs into the website with his username and password.
  6. The attacker now has an authenticated session and can interact with the vulnerable web server on the victim’s behalf.

 

How to prevent Session Fixation attacks?

Secure application development is an effective way to combat these kinds of vulnerabilities. Developers are advised to take the following steps:

  • Invalidate any existing session identifiers prior to authorizing new sessions.
  • Timeout user sessions to limit the malicious attacker’s window of opportunity.
  • Do not include SIDs in URLs. It’s an unsafe practice.

 

Preventing Session Fixation attacks with CxSAST

CxSAST scans the application source code and warns the user if it finds sessions without any session invalidations in place.

 

Back to Vulnerability Knowledge Base

REQUEST A DEMO

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.