Session Fixation

Session fixation is an attack that takes advantage of poor session ID management. The attacker is able to hijack a valid user's session by tricking the user into logging into a web application with a session ID set by the attacker.

Attack Vector

  1. The attacker generates a session ID. This may be an arbitrary ID or the attacker can login to the website to obtain a valid session ID.

  2. The attacker gets the victim to login using the session ID they generated. This step often includes a social engineering scheme and other attack techniques depending on how the web application tracks the session ID (i.e. via GET request, POST request, or cookies).

  3. Once the victim has been authenticated with the set session ID, the attacker can access the web application posing as the victim by using the same session ID.

Impact

A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

Attack Examples

Example 1

The cs166 website recognizes the current user's session ID in the URL via a GET request (ex. cs166.com/?SID=12345). Alice wants to change her grade on the website, so puts together a phishing scheme that entices Bernardo to click on a link she put together cs166.com/login?SID=12345. Once Bernardo has logged in using Alice's link, Alice can now access the cs166 website under Bernardo's account using "12345" as the session ID. This gives her admin privileges and she rewards herself with an A in the class.

Example 2

bank.com tracks a user's session ID using cookies. Eve wants access to Bob's account on bank.com, so she decides to fix his session ID using a XSS attack. Eve writes a malicious script that sets Bob's session ID in his cookie to "abcd":

document.cookie="sessionid=abcd";

And leaves it on a page of bank.com that Bob frequently visits. Once Eve's evil script has been executed and Bob logs into his account on bank.com, she can use "abcd" as the session ID to access bank.com as Bob.

Defenses

Some good practices to avoid session fixation attacks are

  1. Generate a new session ID every time a user authenticates themself, even if a set session ID has been provided in the request.

  2. Timeout user sessions after a short period of time with no activity. This will limit the amount of time the attacker is able to spend on the victim's session with the current session ID.

Criteria for Demonstration

To demonstrate a session fixation attack, show that you can

  1. Set another user's session ID without direct access to their browser (you may need to use another exploit for this).

  2. Show that the session ID does not change from the one you set it to once the user logs in.

  3. Login as the other user on your browser using the session ID you set.

Other resources

https://www.acunetix.com/blog/web-security-zone/what-is-session-fixation/

https://www.checkmarx.com/knowledge/knowledgebase/session-fixation

http://www.acros.si/papers/session_fixation.pdf

https://en.wikipedia.org/wiki/Session_fixation

srowley2