From e3bc01dc52989ffc2b9893d77b48ab16a554764d Mon Sep 17 00:00:00 2001 From: "wirth.marcel" Date: Wed, 9 Apr 2008 17:14:24 +0000 Subject: [PATCH] Session Fixation Lessons Plan git-svn-id: http://webgoat.googlecode.com/svn/trunk@313 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../lesson_plans/SessionFixation.html | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 webgoat/main/project/WebContent/lesson_plans/SessionFixation.html diff --git a/webgoat/main/project/WebContent/lesson_plans/SessionFixation.html b/webgoat/main/project/WebContent/lesson_plans/SessionFixation.html new file mode 100644 index 000000000..2e4d7dac6 --- /dev/null +++ b/webgoat/main/project/WebContent/lesson_plans/SessionFixation.html @@ -0,0 +1,32 @@ +
+

Lesson Plan Title: Session Fixation

+
+ +

Concept / Topic To Teach:

+How to steal a session with a 'Session Fixation' +
+
+

+How the attacks works: +

+A user is recognized by the server by an unique Session ID. If a +user has logged in and is authorized he does not have to +reauhorize when he revisits the application as the user is recognized +by the Session ID. In some applications it is possible to deliver +the Session ID in the Get-Request. Here is where the attack starts. +

+An attacker can send a hyperlink to a victim with a choosen Session ID. +This can be done for example by a phishing mail. +If the victim clicks on the link and loggs in he is authorized +by the Session ID the attacker has choosen. The attacker +can visit the page with the same ID and is recognized as the victim and +gets logged in without authorization. +
+

General Goal(s):

+ +This lesson has several stages. You play the attacker but also the victim. +After having done this lesson it should be understood how +a Session Fixation in general works. It should be also understood that +it is a bad idea to use the Get-Request for Session IDs. + +