Session Fixation in kasuganosoras/pigeon

Valid

Reported on

Oct 24th 2021


✍️ Description

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. Remediation

POC

https://imgur.com/a/cBx4COO

  1. before login PHPSESSID=fixation
  2. login response contain no Set-cookie response to set new cookie
  3. logged in session still with cookie PHPSESSID=fixation

✍️ Remediation

Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated.

We have contacted a member of the kasuganosoras/pigeon team and are waiting to hear back a month ago
We have sent a follow up to the kasuganosoras/pigeon team. We will try again in 7 days. a month ago
kasuganosoras validated this vulnerability a month ago
wtwver has been awarded the disclosure bounty
The fix bounty is now up for grabs
kasuganosoras confirmed that a fix has been merged on 9551f3 a month ago
The fix bounty has been dropped