Session Fixation in kasuganosoras/pigeon


Reported on

Oct 24th 2021

✍️ Description

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. Remediation


  1. before login PHPSESSID=fixation
  2. login response contain no Set-cookie response to set new cookie
  3. logged in session still with cookie PHPSESSID=fixation

✍️ Remediation

Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated.

We have contacted a member of the kasuganosoras/pigeon team and are waiting to hear back 2 years ago
We have sent a follow up to the kasuganosoras/pigeon team. We will try again in 4 days. 2 years ago
kasuganosoras validated this vulnerability 2 years ago
wtwver has been awarded the disclosure bounty
The fix bounty is now up for grabs
kasuganosoras marked this as fixed with commit 9551f3 2 years ago
The fix bounty has been dropped
to join this conversation