6.2.2 Session Fixation

Session Fixation

Session Fixation is a web app security attack where an attacker sets or fixes a user's session identifier (session token) to a known value of the attacker's choice.

Subsequently, the attacker tricks the victim into using this fixed session id to log in, granting authorized access to the victim's session.

Phase 1 - Token Acquisition

The attacker obtains a session token issued by the target web app, this can be done in serveral ways, such as:

Session Prediction: predicting or guessing the session token, especially if it's predictable or lacks sufficient randomness.
Session Sniffing: intercepting the session token as it's transmitted over an unsercured network (e.g. not HTTPS), such as an open Wi-Fi hotspot

Phase 2 - Impersonation

When the attacker has the session token, sets or fixes the victim's session token to a known value that the attacker controls. This value could be one generated by the attacker or an existing valid session token.
The attacker lures the victim into using the fixed session token to log in to the web app, it can be done through various means:

Sending the victim a link that includes the fixed session token
Manipulating the victim into clicking on a specifically crasfted URL
Social engineering tactics to convince the victim to login under specific circumstances

Phase 3 - Hijacking

Once the victim logs in the fixed session token, the attacker can now hijack the victim's session. The web app recognizes the attacker as the legitimate user since the session token matches what is expected

Impact

Data Theft: access and steal the victim's sensitive data, such as personal info, financial details or confidential documents.
Account Takeover: change the victim's account setting, passwords, or email address, locking the victim out of their account.
Malicious Transactions: conduct unauthorized transactions, make purchases, or manipulate the victim's data.

Previous6.2.1 Session Hijacking Next6.2.3 Session Hijacking via Cookie Tampering

Session Fixation

Session Fixation is a web app security attack where an attacker sets or fixes a user's session identifier (session token) to a known value of the attacker's choice.

Subsequently, the attacker tricks the victim into using this fixed session id to log in, granting authorized access to the victim's session.

Phase 1 - Token Acquisition

The attacker obtains a session token issued by the target web app, this can be done in serveral ways, such as:

Session Prediction: predicting or guessing the session token, especially if it's predictable or lacks sufficient randomness.

Session Sniffing: intercepting the session token as it's transmitted over an unsercured network (e.g. not HTTPS), such as an open Wi-Fi hotspot

Phase 2 - Impersonation

When the attacker has the session token, sets or fixes the victim's session token to a known value that the attacker controls. This value could be one generated by the attacker or an existing valid session token.

The attacker lures the victim into using the fixed session token to log in to the web app, it can be done through various means:

Sending the victim a link that includes the fixed session token

Manipulating the victim into clicking on a specifically crasfted URL

Social engineering tactics to convince the victim to login under specific circumstances

Phase 3 - Hijacking

Once the victim logs in the fixed session token, the attacker can now hijack the victim's session. The web app recognizes the attacker as the legitimate user since the session token matches what is expected

Impact

Data Theft: access and steal the victim's sensitive data, such as personal info, financial details or confidential documents.

Account Takeover: change the victim's account setting, passwords, or email address, locking the victim out of their account.

Malicious Transactions: conduct unauthorized transactions, make purchases, or manipulate the victim's data.