Session Fixation

Lesson Plan Title: Session Fixation

Concept / Topic To Teach:
How to steal a session with a 'Session Fixation'

How the attacks works:
A user is recognized by the server by an unique Session ID. If a user has logged in and is authorized he does not have to reauhorize when he revisits the application as the user is recognized by the Session ID. In some applications it is possible to deliver the Session ID in the Get-Request. Here is where the attack starts.

An attacker can send a hyperlink to a victim with a choosen Session ID. This can be done for example by a phishing mail. If the victim clicks on the link and loggs in he is authorized by the Session ID the attacker has choosen. The attacker can visit the page with the same ID and is recognized as the victim and gets logged in without authorization.

General Goal(s):
This lesson has several stages. You play the attacker but also the victim. After having done this lesson it should be understood how a Session Fixation in general works. It should be also understood that it is a bad idea to use the Get-Request for Session IDs.

Solution:
This lesson has 4 stages. In stage 1 and 4 you are Hacker Joe in lesson 2 and 3 you are the victim Jane.

Stage 1:
You have to send a phishing mail to Jane with a link containing a Session ID. The mail is already prepared. You only have to alter the link so it includes a Session ID (SID). You can archive this by adding &SID=WHATEVER to the link. Of course can WHATEVER be replaced by any other string. The link should look similar to following:
<a href=http://localhost/WebGoat/attack?Screen=46&menu=320&SID=WHATEVER>

Image 1: Phishing Mail

Stage 2:
Now you are Jane which receives the mail you wrote in stage 1. Point with the mouse on the link and you will notice the SID in the status bar of your browser. This is the easiest stage as you have only to click on the link 'Goat Hills Financial'.

Image 2: Received Phishing Mail

Stage 3:
You are on the login screen of Goat Financial Hills now. In the URL is the SID visible. All you have to do is to log in with your user name Jane and your password tarzan.

Image 3: Goat Hills Financial Login Screen

Stage 4:
The application switches again to the hacker Joe. There is already a prepared link you have to click on to reach the Goat Hill Financial. In real life this would be different of course. You could directly put the URL in the address bar of your browser.

After having clicked on the provied link you reach Goat Hill Financial. Take a look at the URL and you will see that your SID is NOVALIDSESSION. Change this string to the SID you have chosen at the beginning of this lesson and hit enter.

Image 4: Browser Address Bar Before Changes

Image 5: Browser Address Bar After Changes

Congratulation! You are logged in as Jane and the lesson was successful.

Image 6: Successful Completion Of The Lesson