6.2.2 Session Fixation

Session Fixation

Session Fixation is a web app security attack where an attacker sets or fixes a user's session identifier (session token) to a known value of the attacker's choice.

Subsequently, the attacker tricks the victim into using this fixed session id to log in, granting authorized access to the victim's session.

Phase 1 - Token Acquisition

• The attacker obtains a session token issued by the target web app, this can be done in serveral ways, such as:

1. Session Prediction: predicting or guessing the session token, especially if it's predictable or lacks sufficient randomness.

2. Session Sniffing: intercepting the session token as it's transmitted over an unsercured network (e.g. not HTTPS), such as an open Wi-Fi hotspot

Phase 2 - Impersonation

• When the attacker has the session token, sets or fixes the victim's session token to a known value that the attacker controls. This value could be one generated by the attacker or an existing valid session token.

• The attacker lures the victim into using the fixed session token to log in to the web app, it can be done through various means:

1. Sending the victim a link that includes the fixed session token

2. Manipulating the victim into clicking on a specifically crasfted URL

3. Social engineering tactics to convince the victim to login under specific circumstances

Phase 3 - Hijacking

• Once the victim logs in the fixed session token, the attacker can now hijack the victim's session. The web app recognizes the attacker as the legitimate user since the session token matches what is expected

Impact

• Data Theft: access and steal the victim's sensitive data, such as personal info, financial details or confidential documents.

• Account Takeover: change the victim's account setting, passwords, or email address, locking the victim out of their account.

• Malicious Transactions: conduct unauthorized transactions, make purchases, or manipulate the victim's data.