Session Fixation Attack

OWASP 2013-A2 OWASP 2017-A2 OWASP PC-C6 CWE-384 WASC-37

A Session Fixation is an attack that allows an attacker to hijack and take control of a valid user session. The attack explores the limitations by knowing the way, the web application manages the session ID. The attacker finds different vulnerabilities using this session. The server with this vulnerability allows an attacker to hijack a valid user sessions. When authenticating a user for a session, the server doesn’t assign a new session ID. This makes it possible to use an existing session ID. The attacker can hijack the user’s validated session. This is possible because the attacker has the knowledge of the used session ID.

Impact

The impact include:-

  • Cross Site Scripting
  • Session Hijacking attacks

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Ignoring the session IDs provided by user’s browser and generate a new session for every new successful authentication.
  • Updating the session software packages to the latest version.

Latest Articles