Session Fixation
Hi Folks!
This is my 18th blog on web application security penetration testing. In this blog I will explain about Session Fixation Attack. In my last blog, I have explained about Content Spoofing Attack Hope everyone liked it. If you haven’t read it yet please follow along.
What is Session Fixation?
The Session Fixation attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable with and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Obvious question comes in mind is “What is the Difference Between Session Fixation and Session Hijacking?” Confused?
Session Hijacking is simply the act of stealing an existing, valid session cookie. Most commonly through sniffing network traffic (a MITM attack), Cross site scripting or cross site tracing attack but also through any other ways that a session ID may be leaked.
Session fixation is similar but inverted — a pre-defined session cookie is planted into the victim’s browser. So after the victim logs into a website, they will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited.
Of course that requires an attacker to have temporary access to the victim’s browser itself, but the principle is very simple — there’s no need to steal the data if it is under your control in the first place.
How to Test Session Fixation?
Session-ID same pre and post login.[Session Fixation] [Require physical access to the victim’s browser to set previously known valid session ID and exploit it later to visit or modify victims web content]
Step 1] visit login page. Go to cookie editor extension which is already installed in web browser and edit cookies. Copy Session-ID.
Step 2] Login into application. Again, visit cookie editor. Copy the cookie.
Step 3] if both cookies are same then report the issue.
Session Fixation Exploitation Example:
To better understand it, I would like to add one example which is exploited in real-world pen-testing experience. Please follow step by step POC for exploitation.
Note:
Browser Chrome Used By- Attacker
Browser Firefox Used By- Victim
- As an attacker, browse the application from chrome and make a note of the session-id without logging in from the admin by just requesting any page within the application and intercepting that request. The intercepted request will have the session-ID “PHPSESSID”.
2. Now the task is to fix the session-ID (PHPSESSID) noted in the previous step into the victim’s browser. This can be done by exploiting XSS vulnerability or by making the victim click on the URL having session-ID in GET parameter.
Here we have fixed the session into the victim’s browser that is firefox by setting the session-ID noted previously in his browser.
3. Now, let the victim login into the application having the attackers session-ID. Note that application doesn’t set a new session-ID when user logs in into the application and session-ID (Attacker’s) remains same even after login.
4. Now, from the attacker’s browser, hit refresh. It is observed that admin panel will be accessed without entering credentials.
5. Attacker can access the functionalities as shown in below,
Impact:
After the attack is successful, the account of the user can be completely compromised and the attacker will be able to perform all the operations that the user can perform.
Recommendation:
Below are the recommendations to counter session fixation attack:
The first focus on the session token itself. Create a new session token, associate the new session token with the existing session, disassociate the old session token, pass the new session token to the client.
The second focus on the entire session. Create a new session, copy all of the session data from the old session to the new session, destroy the old session, pass the token associated with the new session to the client.
References:
OWASP — Session Fixation:
Session Fixation
Please do like and follow for more reads!
Thanks!
