Session Fixation in tsolucio/corebos


Reported on

Dec 7th 2021


Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session ID, making it possible to use an existent session ID.

Proof of Concept

1. Load website in a new browser
2. Get cookie before login
3. Login to the website
4. Get cookie after login
Compare those 2 values

Before login, democoreboscom=fixation
The login HTTP response contains Set-cookie response to set a new cookie but that cookie is the same as one before login.
After logging in, the session is still with cookie democoreboscom=fixation


The attack consists of inducing a user to authenticate himself with a known session ID and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.


Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 2 years ago
Joe Bordes validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8.0 with commit d43a9a a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation