Tuesday, December 7, 2010

SESSION FIXATION

  • What is Session Fixation ?
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.


The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

  • Attack Scenario :
1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.

2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.

3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.

4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

  • Attack Process :
1. Session Setup:

First, the attacker either sets up a trap session on the target server and obtains that session’s ID, or selects a arbitrary session ID to be used in the attack. In some cases, the established trap session needs to be maintained by repeatedly sending requests referencing it to avoid idle session timeout.


2. Session Fixation:

Next, the attacker needs to introduce her session ID to the user’s browser, thereby fixing his session.

3. Session Entrance:

Finally, the attacker has to wait until the user logs in to the target server using the previously fixed session ID and then enter the user’s session.

  • Attack Example :
1. First, the attacker, who in this case is also a legitimate user of the system, logs in to the server and is issued a session ID 1234.

2. Then he sends a hyperlink http://online.worldbank.dom/login.jsp?sessionid=1234 to the user, trying to lure him into clicking on it.

3. The user clicks on the link, which opens the server’s login page in his browser.



4. Upon receipt of the request for login.jsp?sessionid=1234, the web application has established.

5. Finally, the user provides his credentials to the login script and the server grants him access to his bank account.

6. At this point, knowing the session ID, the attacker can also access the user’s account via account.jsp?sessionid=1234.

  • Countermeasures :
1. Web applications must ignore any session ID provided by the user’s browser at login and must always generate a new session to which the user will log in if successfully authenticated.

2. If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated.

3. Session identifiers in URL (GET or POST variables) are not recommended as they simplify this attack. The session identifier on most modern systems is stored by default in an HTTP cookie, which has a moderate level of security. Use of the SSL/TLS session identifier is very secure.




Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...
Posted by Rajat Das at 6:37 AM

7 comments:

  1. AnonymousOctober 31, 2011 at 3:12 AM

    The best ever post on "Session Fixation". I like the fact "This vulnerability occurs only when an application while authenticating a user, it does not assign a new session ID, making it possible to use an existing session ID". Nobody says it as clearly as he has mentioned.

    ReplyDelete
  2. Rajat DasNovember 2, 2011 at 4:22 AM

    Thanks... Such comment will keep me motivated to spend some time for this blog...

    ReplyDelete
  3. AnonymousJanuary 6, 2015 at 4:41 AM

    Maybe it would further help people understand why the victim does not get the attackers session because of Step 1 of the example, where the attacker has logged in with his credentials and has a session id.

    Why doesn't the victim get access to the attacker's account through the shared session id, when the attacker is able to access the victim's session?

    I will let you guys think about it and will post the answer later on :)

    ReplyDelete
  4. Rajat DasJanuary 8, 2015 at 3:21 AM

    Hi,

    Try to understand the difference between session hijacking and session fixation first.

    In case of session hijacking the attacker fetch the session id from the targeted victim and gets access victim's account using that. .

    In case of session fixation attacker asks the victim to use a session id created by the attacker itself so that he can login victim's account using that.

    ReplyDelete
  5. logan pualDecember 31, 2017 at 3:21 AM

    they may ask you to enter a code or you may be rewarded. There has always been a certain order jailbreak roblox cheat

    ReplyDelete
  6. Aniqa RajputJanuary 23, 2018 at 5:34 AM

    Hacking is a practice of modification of a computer hardware and software system. Illegal breaking of a computer system is a criminal offence. Recently a spurt in hacking of computer systems has opened up several courses on ethical hacking.Kali Linux Tutorials

    ReplyDelete
  7. Mk YaqoobMarch 7, 2018 at 3:56 AM

    Hacking is a practice of modification of a computer hardware and software system. Illegal breaking of a computer system is a criminal offence. Recently a spurt in hacking of computer systems has opened up several courses on ethical hacking.FB hack

    ReplyDelete

If you like this post, comment please...

Subscribe to: Post Comments (Atom)