Session Fixation in agentejo/cockpit


Reported on

Sep 4th 2021

✍️ Description

A malicious actor with access to the computer is able to reveal the loaded site's actual session identifier value from the stored cookie. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer.

🕵️‍♂️ Proof of Concept

  • 1; Open the website, in incognito mode, to make sure, you don't have any live sesion.

  • 2; Obtain the session identifier value from the cookie

  • 3; Initiate a login with a valid user

  • 4; Obtain the session identifier value again from the cookie

The value is the same before and after the login.

💥 Impact

Upon successful attack, the malicious actor is able to hijack the user's session, what causes total compromise of the target's account.

We created a GitHub Issue asking the maintainers to create a a year ago
a year ago


Hey gergelykis, I'm just contacted the repo maintainer for you.

We have contacted a member of the agentejo/cockpit team and are waiting to hear back a year ago
Artur validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Artur confirmed that a fix has been merged on 0c6628 a year ago
Artur has been awarded the fix bounty
to join this conversation