Description

Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID). This attack can occur when a web application: •Fails to supply a new, unique SID to a user following a successful authentication •Allows a user to provide the SID to be used after authenticating In a session fixation attack, the attacker creates or obtains a valid session identifier and causes the user to provide authentication credentials to the application along with the session identifier. If the application fails to renew this SID after the user logs in, the attacker can use the previously obtained/created value of this SID to clone the authenticated session. The attacker can continue to impersonate the victim user until the SID expires. The need to brute-force or intercept the SID is eliminated.

Proof of Concept

https://drive.google.com/file/d/16veuc5I1qEM8qKmz_DiyRLrTmi8F-O8c/view?usp=sharing

#Remediation: The best way to prevent session fixation attacks is to renew the session ID when a user logs in. This fix can be done at the code level or framework level, depending on where the session management functionality is implemented. Example 1: the following PHP code changes the session ID after users log in successfully:

If ($authenication_successful) { 
    $_session[“authenticated”] = true;
    Session_regenerate_id();
}

Example 2: When deploying web applications to Apache Tomcat, care must be taken to set the “changeSessionIdOnAuthentication” attribute in context.xml to true. Additionally, session IDs should be sufficiently random and should be invalidated at logout.

Impact

Authenticating a user but failing to provision a new session identifier gives an attacker the opportunity to steal authenticated sessions of victim users. This attack breaks the data confidentiality and integrity of victim users.