Overview

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.

• https://cwe.mitre.org/data/definitions/384.html

• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Browser URL

https://onmspentest.eastus.cloudapp.azure.com/opennms/login.jsp

Steps To Reproduce

• Sign out from the WebApplication.

• Make a note of the pre-login JsessionID in the cookie jar on the login page.


• Log in to the application with user credentials and observe that the cookie jar now contains the same pre-login session_id which acts as the active session cookie for the logged-in user.


Suggested Fix

• Web applications must ignore any session ID present in the user's browser at login and must always generate a new session ID to which the user will log in if successfully authenticated.

• Always regenerate the session token after the users properly authenticate.

Cobalt URL

#PT9265_5