Dark Mode

Settings

Capec-61 Detail

Session Fixation

Detailed Software Likelihood: Medium Typical Severity: High

Parents: 593

Threats: T292 T293 T375

Description

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Not present

External ID Source Link Description
CAPEC-61 capec https://capec.mitre.org/data/definitions/61.html
CWE-384 cwe http://cwe.mitre.org/data/definitions/384.html
CWE-664 cwe http://cwe.mitre.org/data/definitions/664.html
CWE-732 cwe http://cwe.mitre.org/data/definitions/732.html
37 WASC http://projects.webappsec.org/Session-Fixation Session Fixation
OWASP Attacks https://owasp.org/www-community/attacks/Session_fixation Session fixation
REF-1 reference_from_CAPEC G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley
REF-601 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
Explore

  1. Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.

    2. Techniques
    The attacker chooses a predefined identifier that they know.
    The attacker creates a trap session for the victim.
Experiment

  1. Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.

    2. Techniques
    Attackers can put links on web sites (such as forums, blogs, or comment forms).
    Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
    Attackers can email attack URLs to potential victims through spam and phishing techniques.
Exploit

  1. Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.

    2. Techniques
    The attacker loads the predefined session ID into their browser and browses to protected data or functionality.
    The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim.
  1. Session identifiers that remain unchanged when the privilege levels change.
  2. Permissive session management mechanism that accepts random user-generated session identifiers
  3. Predictable session identifiers
  1. None: No specialized resources are required to execute this type of attack.
Low
Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives.
Authorization Access Control Confidentiality
Gain Privileges Gain Privileges Gain Privileges
  1. Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.
  2. An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. See also: CVE-2004-2182

We use cookies to ensure you get the best experience on our website.