Compare commits
1 Commits
f263888c03
...
gh-1165
| Author | SHA1 | Date | |
|---|---|---|---|
| 46f0411678 |
@ -0,0 +1,30 @@
|
|||||||
|
==== Introduction
|
||||||
|
|
||||||
|
Session fixation is a security vulnerability that occurs when an attacker forces a user's session identifier (usually stored in a cookie) to be set to a value chosen by the attacker.
|
||||||
|
This attack can result in the attacker being able to impersonate the victim's session and gain unauthorized access to their account.
|
||||||
|
|
||||||
|
==== How session fixation works
|
||||||
|
|
||||||
|
The following steps outline the process of a session fixation attack:
|
||||||
|
|
||||||
|
- The attacker obtains a session identifier (SID) from a valid session, either by generating one or through some other means.
|
||||||
|
|
||||||
|
- The attacker tricks the victim into clicking on a malicious link that includes the obtained SID.
|
||||||
|
This link might be sent via email, social engineering, or another method.
|
||||||
|
|
||||||
|
- When the victim clicks the malicious link, their browser uses the provided SID to identify the session.
|
||||||
|
The attacker can then use the same SID to access the victim's session after they log in.
|
||||||
|
|
||||||
|
- The attacker now has unauthorized access to the victim's account, effectively taking over their session.
|
||||||
|
|
||||||
|
|
||||||
|
==== Implications and risks
|
||||||
|
|
||||||
|
A successful session fixation attack can have serious consequences, including:
|
||||||
|
|
||||||
|
- Unauthorized access to the victim's account and sensitive information.
|
||||||
|
- Ability to perform actions on behalf of the victim.
|
||||||
|
- Compromise of confidential data.
|
||||||
|
- Damage to the victim's reputation and trust in the web application.
|
||||||
|
|
||||||
|
|
||||||
@ -0,0 +1,15 @@
|
|||||||
|
==== Preventing session fixation attacks
|
||||||
|
|
||||||
|
Most modern web frameworks do a pretty decent job fixing the problem automatically.
|
||||||
|
Please read up on your framework before.
|
||||||
|
|
||||||
|
To defend against session fixation attacks, web developers can implement the following countermeasures:
|
||||||
|
|
||||||
|
- Never trust an url parameter: Never pass session identifiers via URLs, as these can be easily manipulated.
|
||||||
|
- Session regeneration: always change the session identifier upon significant events, such as login or privilege level change.
|
||||||
|
- Session timeout: Implement a session timeout mechanism that automatically logs out inactive users after a specified period.
|
||||||
|
This will help when an attacker sends an email to a victim with a link.
|
||||||
|
This way the link containing the session-id is already timed out.
|
||||||
|
- Random session identifiers: Generate session identifiers using a strong random number generator to make them difficult to guess or predict.
|
||||||
|
- Cookie attributes: Set `secure` and `HttpOnly` attributes for cookies to prevent manipulation and unauthorized access.
|
||||||
|
|
||||||
@ -0,0 +1,17 @@
|
|||||||
|
==== Let's try
|
||||||
|
|
||||||
|
Maybe WebGoat is vulnerable to a session fixation attack?
|
||||||
|
Create a new account, for example `attacker` and login to WebGoat. Email yourself with the link and click the link and login to WebGoat.
|
||||||
|
|
||||||
|
|
||||||
|
- Endpoint for logging in (POST)
|
||||||
|
- Goal is to get /users/..../profile this one checks session id cookie
|
||||||
|
- Email send to a specfic user should immediately login
|
||||||
|
- XSS should set cookie and endpoint should pick it up.
|
||||||
|
-
|
||||||
|
|
||||||
|
Screen 1 is send email
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -0,0 +1,3 @@
|
|||||||
|
=== No longer hackable?
|
||||||
|
|
||||||
|
Someone submitted a bug report and the developers made some improvements. Can you still hack them?
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
In this lesson, you will learn about a common web application vulnerability called "Session Fixation." Session fixation is an attack that allows an attacker to set a victim's session identifier, potentially giving them unauthorized access to the victim's account.
|
||||||
|
We will explore how this attack works, its implications, and how to defend against it.
|
||||||
|
|
||||||
|
Goals:
|
||||||
|
|
||||||
|
By the end of this lesson, you will be able to:
|
||||||
|
|
||||||
|
- Explain what a session fixation attack is and how it works.
|
||||||
|
- Understand the potential risks and consequences of a successful session fixation attack.
|
||||||
|
- Implement countermeasures to defend against session fixation attacks in a web application.
|
||||||
Reference in New Issue
Block a user