Lesson Plan Title: Session Fixation

Concept / Topic To Teach:

How to steal a session with a 'Session Fixation'

How the attacks works:

A user is recognized by the server by an unique Session ID. If a user has logged in and is authorized he does not have to reauhorize when he revisits the application as the user is recognized by the Session ID. In some applications it is possible to deliver the Session ID in the Get-Request. Here is where the attack starts.

An attacker can send a hyperlink to a victim with a choosen Session ID. This can be done for example by a phishing mail. If the victim clicks on the link and loggs in he is authorized by the Session ID the attacker has choosen. The attacker can visit the page with the same ID and is recognized as the victim and gets logged in without authorization.

General Goal(s):

This lesson has several stages. You play the attacker but also the victim. After having done this lesson it should be understood how a Session Fixation in general works. It should be also understood that it is a bad idea to use the Get-Request for Session IDs.