03 Apr, 2023

Session fixation vulnerabilities

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Session fixation vulnerabilities refer to a type of security vulnerability that allows an attacker to hijack a user’s session by fixing or establishing their session ID (identifier) to a known value. This can enable the attacker to access the user’s account, perform actions on their behalf, or obtain sensitive information. Session fixation vulnerabilities can occur when a web application fails to properly generate or validate session IDs, allowing an attacker to set the ID before the user logs in or as they are logging in.

Example of vulnerable code on different programming languages:


in PHP:

				
					session_start();
if(!isset($_SESSION['id'])) {
    session_regenerate_id();
    $_SESSION['id'] = session_id();
}

				
			

 

In this PHP code, the session ID is not properly validated or regenerated if it already exists, allowing an attacker to fix the session ID to a known value before the user logs in.

• in Java:

				
					HttpSession session = request.getSession();
if(session.isNew()) {
    session.setAttribute("id", "12345");
}

				
			

 

In this Java code, the session ID is not properly validated or regenerated if it already exists, allowing an attacker to fix the session ID to a known value before the user logs in.

• in Python:

				
					session = request.session
if 'id' not in session:
    session['id'] = '12345'

				
			


In this Python code, the session ID is not properly validated or regenerated if it already exists, allowing an attacker to fix the session ID to a known value before the user logs in.

Examples of exploitation Session fixation vulnerabilities

Stealing user credentials:

An attacker can fix the session ID to a known value before the user logs in and then obtain the user’s credentials by capturing the login credentials during the session. Since the session ID is already fixed to a known value, the attacker can use it to access the user’s account even after the user logs out.

Impersonation attacks:

An attacker can fix the session ID to a known value and then wait for the victim to log in. Once the victim logs in, the attacker can use the fixed session ID to take over the victim’s session, thereby impersonating them and performing actions on their behalf.

Session hijacking:

An attacker can fix the session ID to a known value and then use it to take over the user’s session by intercepting or stealing the session ID. Once the attacker has the session ID, they can use it to access the user’s account or perform actions on their behalf.

Account takeover:

An attacker can fix the session ID to a known value and use it to gain access to the user’s account. Once the attacker has access, they can change the user’s account details, add new payment methods, or perform any other malicious actions.

Privilege escalation techniques for Session fixation vulnerabilities

Session fixation with admin credentials:

An attacker could create a new user account with admin privileges and then fix the session ID to a known value before the admin logs in. Once the admin logs in, the attacker can use the fixed session ID to take over the admin’s session and gain full admin privileges.

Exploiting session variables:

If the web application stores user roles or permissions in session variables, an attacker can fix the session ID to a known value and then modify those variables to grant themselves elevated privileges.

CSRF attacks:

An attacker could use a Cross-Site Request Forgery (CSRF) attack to change the victim’s session ID to a known value. This could allow the attacker to hijack the victim’s session and gain access to their account or perform actions on their behalf.

Session fixation with stolen credentials:

An attacker could use phishing or social engineering techniques to steal a victim’s login credentials and then fix the session ID to a known value before the victim logs in. This would allow the attacker to take over the victim’s session and gain access to their account.

General methodology and checklist for Session fixation vulnerabilities

Methodology:

  1. Identify the session management mechanism: The first step is to identify how sessions are managed in the application. This can involve reviewing the application’s source code, using a proxy tool to intercept and analyze session traffic, or examining the session management configuration in the application server.

  2. Attempt to fix the session ID: Once the session management mechanism has been identified, the next step is to attempt to fix the session ID to a known value. This can involve manually modifying the session ID cookie or using a tool to automate the process.

  3. Attempt to hijack the session: With the session ID fixed, attempt to hijack the session by logging in as the victim or using a CSRF attack to change the session ID. This can involve intercepting and modifying session traffic or using a tool to automate the process.

  4. Test for privilege escalation: Once the session has been hijacked, test for privilege escalation by attempting to access higher levels of privilege or sensitive information. This can involve modifying session variables, attempting to access restricted areas of the application, or performing other malicious actions.

  5. Document and report any vulnerabilities: If session fixation vulnerabilities are found, document the steps taken to reproduce the vulnerability and report them to the application owner or development team. It is important to provide clear, actionable recommendations for remediation, such as implementing proper session management practices or using multi-factor authentication.

  6. Re-test for validation: After any remediation steps have been taken, re-test the application to validate that the vulnerabilities have been properly addressed and that no new vulnerabilities have been introduced.

Checklist:

  1. Identify the session management mechanism: Identify how sessions are managed in the application, including how session IDs are generated, stored, and managed.

  2. Check for predictable session ID generation: Look for patterns or algorithms in session ID generation that may make it predictable or easy to guess.

  3. Attempt to fix the session ID: Attempt to fix the session ID to a known value and see if it is possible to hijack the victim’s session.

  4. Test for CSRF vulnerabilities: Check for Cross-Site Request Forgery (CSRF) vulnerabilities, which can allow an attacker to change a user’s session ID to a known value.

  5. Check for privilege escalation: Test for privilege escalation by attempting to access higher levels of privilege or sensitive information.

  6. Check for session variables manipulation: Check if session variables can be manipulated to grant elevated privileges or to access sensitive information.

  7. Check for session timeout handling: Check how the application handles session timeouts and if it properly invalidates session IDs after a certain period of inactivity.

  8. Check for multi-factor authentication: Check if the application uses multi-factor authentication to protect against session fixation attacks.

  9. Check for secure session transmission: Ensure that sessions are transmitted securely using HTTPS, and that session cookies are marked with the “secure” attribute to prevent session hijacking via HTTP.

  10. Review session management configurations: Review the configuration of the application server or other session management technologies to ensure that best practices are being followed, such as random session ID generation, session ID rotation, and proper cookie settings.

  11. Document and report any vulnerabilities: Document and report any session fixation vulnerabilities found, including steps to reproduce the vulnerability and recommendations for remediation.

Tools set for exploiting Session fixation vulnerabilities

Manual Tools:

  • Burp Suite – a powerful web application security testing toolkit that includes a proxy, scanner, and other tools for testing session fixation vulnerabilities manually.

  • OWASP ZAP – an open-source web application security testing tool that includes a proxy, scanner, and other tools for testing session fixation vulnerabilities manually.

  • Fiddler – a web debugging proxy tool that can be used to intercept and modify session traffic to test for session fixation vulnerabilities.

  • Chrome Developer Tools – a set of web developer tools built into the Chrome browser that can be used to intercept and modify session traffic to test for session fixation vulnerabilities.

  • Firefox Developer Tools – a set of web developer tools built into the Firefox browser that can be used to intercept and modify session traffic to test for session fixation vulnerabilities.

  • Wireshark – a network protocol analyzer that can be used to intercept and analyze session traffic to test for session fixation vulnerabilities.

  • cURL – a command-line tool for transferring data using various protocols, including HTTP, that can be used to manually test for session fixation vulnerabilities.

Automated Tools:

  • AppScan – an automated web application security testing tool that can detect and report session fixation vulnerabilities automatically.

  • Acunetix – an automated web application security testing tool that can detect and report session fixation vulnerabilities automatically.

  • Netsparker – an automated web application security testing tool that can detect and report session fixation vulnerabilities automatically.

  • Qualys – a cloud-based security and compliance platform that includes an automated web application scanner that can detect and report session fixation vulnerabilities automatically.

  • Nessus – a network vulnerability scanner that can also detect and report session fixation vulnerabilities in web applications automatically.

  • WebInspect – an automated web application security testing tool that can detect and report session fixation vulnerabilities automatically.

  • Nmap – a network exploration and security auditing tool that can also detect and report session fixation vulnerabilities in web applications automatically.

  • Vega – an open-source web application security testing tool that includes an automated scanner that can detect and report session fixation vulnerabilities automatically.

Browser Plugins:

  • EditThisCookie – a browser plugin for Chrome and Firefox that allows users to edit cookies, including session cookies, to test for session fixation vulnerabilities.

  • Cookie Editor – a browser plugin for Chrome and Firefox that allows users to edit cookies, including session cookies, to test for session fixation vulnerabilities.

  • Cookie-Editor – a browser plugin for Chrome and Firefox that allows users to edit cookies, including session cookies, to test for session fixation vulnerabilities.

  • Cookie Monster – a browser plugin for Firefox that allows users to manage and edit cookies, including session cookies, to test for session fixation vulnerabilities.

  • Cookies Manager+ – a browser plugin for Firefox that allows users to manage and edit cookies, including session cookies, to test for session fixation vulnerabilities.

Average CVSS score of stack Session fixation vulnerabilities

The Common Vulnerability Scoring System (CVSS) score of a session fixation vulnerability can vary depending on the severity of the issue and the impact it can have on the affected system. The CVSS score ranges from 0 to 10, with 10 being the most severe.

In general, session fixation vulnerabilities are considered to have a medium to high severity rating, with an average CVSS score of 6.5 to 8.5. This is because a successful exploitation of a session fixation vulnerability can result in an attacker gaining unauthorized access to sensitive data or functionalities.

However, the actual CVSS score of a specific session fixation vulnerability can vary depending on various factors such as the impact of the vulnerability on confidentiality, integrity, and availability of the system, the ease of exploitation, and the presence of mitigating factors. It is important to perform a comprehensive vulnerability assessment to accurately determine the CVSS score of a specific session fixation vulnerability.

The Common Weakness Enumeration (CWE)

• CWE-384: Session Fixation – This is the main CWE entry for session fixation vulnerabilities. It refers to the practice of an attacker setting the session ID of a user’s session to a value that the attacker knows in advance.

• CWE-613: Insufficient Session Expiration – This refers to a situation where a session is not terminated after a certain period of inactivity, allowing an attacker to take over the session.

• CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute – This refers to a situation where a cookie that contains sensitive information is transmitted over an insecure channel without the ‘Secure’ attribute, making it vulnerable to session fixation attacks.

• CWE-330: Use of Insufficiently Random Values – This refers to a situation where a session ID is generated using a predictable algorithm or an insufficiently random value, making it vulnerable to session fixation attacks.

• CWE-693: Protection Mechanism Failure – This refers to a situation where a session management protection mechanism, such as a session timeout, fails to work as intended, making the session vulnerable to takeover by an attacker.

• CWE-352: Cross-Site Request Forgery (CSRF) – This refers to a situation where an attacker tricks a victim into performing an action on a web application without their consent, using an existing session to carry out the attack.

• CWE-807: Reliance on Untrusted Inputs in a Security Decision – This refers to a situation where a web application relies on untrusted inputs, such as session IDs, to make security decisions, making it vulnerable to session fixation attacks.

• CWE-330: Use of Insufficiently Random Values – This refers to a situation where a session ID is generated using a predictable algorithm or an insufficiently random value, making it vulnerable to session fixation attacks.

• CWE-284: Improper Access Control – This refers to a situation where an attacker is able to access resources or functionality that should be protected by proper access controls, such as session management.

• CWE-319: Cleartext Transmission of Sensitive Information – This refers to a situation where sensitive information, such as session IDs or passwords, is transmitted in cleartext, making it vulnerable to interception and session fixation attacks.

Top 10 CVES related to Session fixation vulnerabilities

• CVE-2023-25170 – PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.

• CVE-2023-22479 – KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4.

• CVE-2022-44788 – An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.

• CVE-2022-44007 – An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation.

• CVE-2022-40958 – By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

• CVE-2022-40630 – This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted device. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform session fixation on the targeted device.

• CVE-2022-40293 – The application was vulnerable to a session fixation that could be used hijack accounts.

• CVE-2022-38628 – Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors.

• CVE-2022-38054 – In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

• CVE-2022-33927 – Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user’s session.

Session fixation vulnerabilities exploits

  • Session hijacking – An attacker can hijack a valid user’s session by using a fixed session ID value to gain access to the user’s session after they have logged in.

  • Session fixation – An attacker can fixate a valid user’s session by setting the session ID value to a known value before the user logs in, allowing the attacker to take over the session once the user logs in.

  • CSRF attacks – An attacker can carry out a Cross-Site Request Forgery (CSRF) attack by leveraging a fixed session ID value to execute actions on the victim’s behalf.

  • Cookie manipulation – An attacker can manipulate cookies associated with a user’s session to gain unauthorized access to sensitive information or functionality.

  • Brute-forcing – An attacker can attempt to brute-force session IDs by trying different values until a valid session ID is found.

  • Session prediction – An attacker can predict a valid session ID by analyzing session IDs from previous sessions or by analyzing the session ID generation algorithm used by the application.

  • Session stealing – An attacker can steal a valid session ID by intercepting network traffic or by exploiting other vulnerabilities, such as XSS or SQL injection, to gain access to session information.

Practicing in test for Session fixation vulnerabilities

  1. Identify the session management mechanism used by the application, such as cookies or URL parameters.

  2. Check if the session ID is regenerated after user authentication, or if it remains the same throughout the session.

  3. Attempt to fixate the session ID by setting it to a known value before logging in and then logging in as a user. If successful, the attacker should be able to take over the user’s session.

  4. Attempt to hijack a valid user’s session by using a fixed session ID value to gain access to the user’s session after they have logged in.

  5. Test for session expiration by logging in as a user and then waiting for the session to expire. If the session does not expire as expected, the system may be vulnerable to session fixation attacks.

  6. Test for CSRF attacks by leveraging a fixed session ID value to execute actions on the victim’s behalf.

  7. Test for cookie manipulation by attempting to modify the session cookie to gain unauthorized access to sensitive information or functionality.

  8. Test for session prediction by analyzing session IDs from previous sessions or by analyzing the session ID generation algorithm used by the application.

  9. Attempt to steal a valid session ID by intercepting network traffic or by exploiting other vulnerabilities, such as XSS or SQL injection, to gain access to session information.

For study Session fixation vulnerabilities

OWASP Top 10 – Session Fixation: OWASP is a non-profit organization that provides resources and guidelines for web application security. Their Top 10 list includes a section on session fixation, which provides an overview of the vulnerability and how it can be exploited.

Session Fixation Vulnerabilities in Web-based Applications: This whitepaper provides an in-depth look at session fixation vulnerabilities, including their impact and how to detect and prevent them.

Session Fixation Attacks and Defenses: This book provides a comprehensive look at session fixation attacks, including the different types of attacks and how to defend against them.

Session Fixation Vulnerability Testing Guide: This guide provides a step-by-step approach to testing for session fixation vulnerabilities, including how to identify potential vulnerabilities and how to exploit them.

Vulnerability Assessment and Penetration Testing: This course covers the fundamentals of vulnerability assessment and penetration testing, including how to identify and exploit session fixation vulnerabilities.

Practical Web Application Penetration Testing: This book provides a practical guide to web application penetration testing, including how to identify and exploit session fixation vulnerabilities.

Session Fixation Vulnerabilities Cheat Sheet: This cheat sheet provides a quick reference for detecting and exploiting session fixation vulnerabilities.

Books with review of Session fixation vulnerabilities

“Web Application Vulnerabilities: Detect, Exploit, Prevent” by Steven Palmer: This book covers a wide range of web application vulnerabilities, including session fixation attacks.

“Hacking Exposed Web Applications: Web Application Security Secrets and Solutions” by Joel Scambray, Mike Shema, and Caleb Sima: This book provides an in-depth look at web application security, including session fixation attacks.

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book provides a comprehensive guide to finding and exploiting web application vulnerabilities, including session fixation attacks.

“Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” by Thomas Wilhelm: This book provides a detailed guide to creating and operating a penetration testing lab, including how to test for session fixation vulnerabilities.

“Hacking: The Art of Exploitation” by Jon Erickson: This book provides an introduction to hacking techniques, including how to exploit web application vulnerabilities like session fixation.

“The Basics of Web Hacking: Tools and Techniques to Attack the Web” by Josh Pauli: This book provides a beginner’s guide to web hacking, including an overview of session fixation attacks.

“Hands-On Penetration Testing with Kali NetHunter: Spy on and protect vulnerable ecosystems using the power of Kali Linux for pentesting on the go” by Glen D. Singh: This book provides a guide to using Kali Linux for penetration testing, including how to test for session fixation vulnerabilities.

“Gray Hat Python: Python Programming for Hackers and Reverse Engineers” by Justin Seitz: This book provides an introduction to Python programming for hacking, including how to exploit web application vulnerabilities like session fixation.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz: This book provides a guide to using Python for penetration testing, including how to test for session fixation vulnerabilities.

“Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman: This book provides an introduction to penetration testing, including how to test for web application vulnerabilities like session fixation.

List of payloads Session fixation vulnerabilities

  • Set-Cookie header: An attacker can set a cookie with a specific session ID, and then trick the victim into using that session ID by sending them a link or redirecting them to a page that uses the cookie.

  • URL parameter: An attacker can include a session ID in the URL parameter of a link, which the victim will unknowingly use to authenticate their session.

  • Hidden field: An attacker can inject a hidden field in a web form that includes a session ID, which the victim will unknowingly use to authenticate their session.

  • Referrer header: An attacker can manipulate the referrer header to pass a session ID to the web application, which the victim will unknowingly use to authenticate their session.

  • Cross-site scripting (XSS): An attacker can inject malicious code into a web page that steals the victim’s session ID and sends it back to the attacker.

  • Cross-site request forgery (CSRF): An attacker can use a CSRF attack to force the victim’s browser to make a request to the web application with a session ID that the attacker controls.

  • Session fixation through login: An attacker can use session fixation to force the victim to authenticate with a session ID that the attacker controls by directing the victim to a login page that uses a fixed session ID.

How to be protected from Session fixation vulnerabilities

  1. When a user logs in, assign them a unique session ID that cannot be predicted or reused by an attacker.

  2. When a user logs in, generate a new session ID and destroy the old one to prevent session fixation attacks.

  3. Use secure cookies to ensure that session IDs are only sent over encrypted connections.

  4. Use the HttpOnly flag to prevent session IDs from being accessed by JavaScript.

  5. Set a reasonable timeout for sessions to prevent an attacker from using a fixed session ID for an extended period of time.

  6. Implement CSRF protection to prevent attackers from using a victim’s session ID to make unauthorized requests.

  7. Regularly monitor session logs for unusual activity, such as multiple logins from different IP addresses using the same session ID.

  8. Keep your web application and server software up-to-date with the latest security patches to minimize the risk of session fixation vulnerabilities.

Conclusion

Session fixation vulnerabilities pose a significant threat to web applications that rely on user authentication and session management. Attackers can use session fixation to take control of a user’s session and access sensitive information or perform unauthorized actions on behalf of the victim. The impact of these attacks can be severe, ranging from theft of personal information to financial loss or reputational damage.

Other Services

Ready to secure?

Let's get in touch