dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session Fixation lesson plan and solution edited

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@339 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
2008-04-15 09:43:01 +00:00
parent e2ca7f9a33
commit 3a1397f178
2 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
webgoat/main/project/WebContent/lesson_plans/SessionFixation.html
View File

@ -11,14 +11,15 @@ How to steal a session with a 'Session Fixation'
</p>
A user is recognized by the server by an unique Session ID. If a
user has logged in and is authorized he does not have to
reauhorize when he revisits the application as the user is recognized
reauthorize when he revisits the application as the user is recognized
by the Session ID. In some applications it is possible to deliver
the Session ID in the Get-Request. Here is where the attack starts.
<br><br>
An attacker can send a hyperlink to a victim with a choosen Session ID.
This can be done for example by a phishing mail.
If the victim clicks on the link and loggs in he is authorized
by the Session ID the attacker has choosen. The attacker
An attacker can send a hyperlink to a victim with a chosen Session ID.
This can be done for example by a prepared mail which looks like an
official mail from the application administrator.
If the victim clicks on the link and logs in he is authorized
by the Session ID the attacker has chosen. The attacker
can visit the page with the same ID and is recognized as the victim and
gets logged in without authorization.
</div>