Skip to content

Commit

Permalink
Fix Session Fixation Images (#899)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kingthorin
kingthorin authored Feb 28, 2024
1 parent 7f5129b commit f0b1f7f
Showing 1 changed file with 42 additions and 76 deletions.
118 changes: 42 additions & 76 deletions pages/attacks/Session_fixation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,10 @@

layout: col-sidebar
title: Session fixation
author:
contributors:
author: mwood
contributors: Nsrav, Greenapple8189, KirstenS, Alan Jex, Mark Sienkiewicz, Bill Sempf, kingthorin
permalink: /attacks/Session_fixation
tags: attack, Session fixation
auto-migrated: 1

---

Expand Down Expand Up @@ -36,48 +35,41 @@ There are several techniques to execute the attack; it depends on how
the Web application deals with session tokens. Below are some of the
most common techniques:

**Session token in the URL argument:** The Session ID is sent to the
- **Session token in the URL argument:** The Session ID is sent to the
victim in a hyperlink and the victim accesses the site through the
malicious URL.

**Session token in a hidden form field:** In this method, the victim
- **Session token in a hidden form field:** In this method, the victim
must be tricked to authenticate in the target Web Server, using a login
form developed for the attacker. The form could be hosted in the evil
web server or directly in html formatted e-mail.

**• Session ID in a cookie:**
- **Session ID in a cookie:**
- Client-side script

o Client-side script
Most browsers support the execution of client-side scripting. In this
case, the aggressor could use attacks of code injection as the
[XSS](Cross-site_Scripting_\(XSS\) "wikilink") (Cross-site scripting)
attack to insert a malicious code in the hyperlink sent to the victim
and fix a Session ID in its cookie. Using the function document.cookie,
the browser which executes the command becomes capable of fixing values
inside of the cookie that it will use to keep a session between the
client and the Web Application.

Most browsers support the execution of client-side scripting. In this
case, the aggressor could use attacks of code injection as the
[XSS](Cross-site_Scripting_\(XSS\) "wikilink") (Cross-site scripting)
attack to insert a malicious code in the hyperlink sent to the victim
and fix a Session ID in its cookie. Using the function document.cookie,
the browser which executes the command becomes capable of fixing values
inside of the cookie that it will use to keep a session between the
client and the Web Application.
- META Tag

o
```
<META>
Is considered a code injection attack, however, different from
the XSS attack where undesirable scripts can be disabled, or the
execution can be denied. The attack using this method becomes much more
efficient because it's impossible to disable the processing of these
tags in the browsers.

tag
- HTTP header response-

<META>
```
tag also is considered a code injection attack, however, different from
the XSS attack where undesirable scripts can be disabled, or the
execution can be denied. The attack using this method becomes much more
efficient because it's impossible to disable the processing of these
tags in the browsers.

o HTTP header response

This method explores the server response to fix the Session ID in the
victim's browser. Including the parameter Set-Cookie in the HTTP header
response, the attacker is able to insert the value of Session ID in the
cookie and sends it to the victim's browser.
This method explores the server response to fix the Session ID in the
victim's browser. Including the parameter Set-Cookie in the HTTP header
response, the attacker is able to insert the value of Session ID in the
cookie and sends it to the victim's browser.

## Examples

Expand All @@ -86,24 +78,25 @@ cookie and sends it to the victim's browser.
The example below explains a simple form, the process of the attack, and
the expected results.

(1)The attacker has to establish a legitimate connection with the web
server which (2) issues a session ID or, the attacker can create a new
session with the proposed session ID, then, (3) the attacker has to send
1. The attacker has to establish a legitimate connection with the web
server which
2. issues a session ID or, the attacker can create a new
session with the proposed session ID, then
3. the attacker has to send
a link with the established session ID to the victim, they have to click
on the link sent from the attacker accessing the site, (4) the Web
on the link sent from the attacker accessing the site
4. the Web
Server saw that session was already established and a new one need not
to be created, (5) the victim provides their credentials to the Web
Server, (6) knowing the session ID, the attacker can access the user's
to be created
5. the victim provides their credentials to the Web
Server
6. knowing the session ID, the attacker can access the user's
account.

<center>

<https://wiki.owasp.org/images/9/9c/Fixation.jpg>
![](https://wiki.owasp.org/images/9/9c/Fixation.jpg)

Figure 1. Simple example of Session Fixation attack.

</center>

### Example 2

Client-side scripting
Expand All @@ -118,11 +111,9 @@ executed in the victim's browser.
` http://website.kom/<script>document.cookie=”sessionid=abcd”;</script>`

### Example 3
```
<META>

tag
```
META Tag

As well as client-side scripting, the code injection must be made in the
URL that will be sent to the victim.

Expand All @@ -137,42 +128,17 @@ the server response can be made, intercepting the packages exchanged
between the client and the Web Application inserting the Set-Cookie
parameter.

<center>

<https://wiki.owasp.org/images/e/ed/Fixation2.jpg>
![](https://wiki.owasp.org/images/e/ed/Fixation2.jpg)

Figure 2. Set-Cookie in the HTTP header response

</center>

## Related [Threat Agents](Threat_Agents "wikilink")

- [:Category:Authorization](:Category:Authorization "wikilink")

## Related [Attacks](https://owasp.org/www-community/attacks/)

- [XSS Attacks](XSS_Attacks "wikilink")
- [Session hijacking attack](Session_hijacking_attack "wikilink")

## Related [Vulnerabilities](https://owasp.org/www-community/vulnerabilities/)

- [:Category:Session Management
Vulnerability](:Category:Session_Management_Vulnerability "wikilink")

## Related [Controls](https://owasp.org/www-community/controls/)

- [Session Fixation
Protection](Session_Fixation_Protection "wikilink")
- [XSS](XSS)
- [Session hijacking attack](Session_hijacking_attack)

## References

- <http://www.acros.si/papers/session_fixation.pdf>
- <http://en.wikipedia.org/wiki/Session_fixation>
- <http://www.derkeiler.com/pdf/Mailing-Lists/Securiteam/2002-12/0099.pdf>

## Categories

[Category:OWASP ASDR Project](Category:OWASP_ASDR_Project "wikilink")
[Category:Exploitation of
Authentication](Category:Exploitation_of_Authentication "wikilink")
[Category:Attack](Category:Attack "wikilink")

0 comments on commit f0b1f7f

Please sign in to comment.