Session fixation is an attack where the attacker fixes the session in advance and just waits for the user to login in order to hijack it. This is very much applicable to the SIDs in the URL scenario. If the application associates a user with an incoming SID without checking if it is generated by the server, then this attack is possible.
An attacker logs into the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=123xyz
The attacker now sends a link to the victim, http://www.vulnerablesite.com/test.php?SID= 123xyz
The victim logs on and the server now assigns the SID value to him. (Why? Due to bad coding, the server does not check if it is generated by itself and tags it with the users).
The attacker, who already knows the SID value he used, can now just use the same and access the victim’s account.
Prevention of Session fixation
To defend against session fixation, ensure your Web application developers code their applications so they assign a different session cookie immediately after a user authenticates to the application, and also verify they do not include the cookie value in the URL. By taking these precautions, you’ll ensure no one can gain access to the cookie before the user authenticates.
An attacker logs into the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=123xyz
The attacker now sends a link to the victim, http://www.vulnerablesite.com/test.php?SID= 123xyz
The victim logs on and the server now assigns the SID value to him. (Why? Due to bad coding, the server does not check if it is generated by itself and tags it with the users).
The attacker, who already knows the SID value he used, can now just use the same and access the victim’s account.
To defend against session fixation, ensure your Web application developers code their applications so they assign a different session cookie immediately after a user authenticates to the application, and also verify they do not include the cookie value in the URL. By taking these precautions, you’ll ensure no one can gain access to the cookie before the user authenticates.
%2Bdork%2Blist%2Binfosec%2Baffairs.png)
No comments:
Post a Comment