14 Feb, 2023

Session Fixation

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Session Fixation is a web application vulnerability that occurs when an attacker is able to set or control the value of a user’s session ID, either by guessing or by providing a session ID to the user before they authenticate. This allows the attacker to hijack the user’s session and perform actions on their behalf.

The attack works by tricking the user into using a session ID that the attacker knows, typically by sending the user a link with the session ID included. The attacker then waits for the user to authenticate with the web application using that session ID, at which point the attacker can use the same session ID to access the user’s session and perform actions on their behalf.

Example of vulnerable code on different programming languages:

• PHP:

				
					<?php
session_start();
if (!isset($_SESSION['id'])) {
    $_SESSION['id'] = session_id();
}

				
			

This code sets the user’s session ID to the value of the current session ID if it has not already been set. However, this approach is vulnerable to Session Fixation attacks because it allows an attacker to set the session ID before the user logs in, allowing the attacker to hijack the user’s session.

To prevent Session Fixation attacks in PHP, the session ID should be regenerated after the user logs in, like this:

				
					<?php
session_start();
if (!isset($_SESSION['id'])) {
    session_regenerate_id(true);
    $_SESSION['id'] = session_id();
}

				
			

Java:

				
					HttpSession session = request.getSession();
if (session.isNew()) {
    session.setAttribute("id", session.getId());
}

				
			

This code creates a new session and sets the user’s session ID to the value of the current session ID if it has not already been set. However, this approach is vulnerable to Session Fixation attacks for the same reasons as the PHP example.

To prevent Session Fixation attacks in Java, the session ID should be regenerated after the user logs in, like this:

				
					HttpSession session = request.getSession();
if (session.isNew()) {
    session.invalidate();
    session = request.getSession(true);
    session.setAttribute("id", session.getId());
}

				
			

Javascript:

				
					if (!sessionStorage.getItem("id")) {
    sessionStorage.setItem("id", Math.random());
}

				
			

This code sets the user’s session ID to a random value if it has not already been set. However, this approach is vulnerable to Session Fixation attacks because it allows an attacker to set the session ID before the user logs in, just like the PHP and Java examples.

To prevent Session Fixation attacks in JavaScript, the session ID should be regenerated after the user logs in, like this:

				
					if (!sessionStorage.getItem("id")) {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', '/generate_session_id', false);
    xhr.send(null);
    sessionStorage.setItem("id", xhr.responseText);
}

				
			

Python:

				
					session = request.session
if 'id' not in session:
    session['id'] = request.session.session_key

				
			

This code sets the user’s session ID to the value of the current session key if it has not already been set. However, this approach is vulnerable to Session Fixation attacks because it allows an attacker to set the session ID before the user logs in, just like the other examples.

To prevent Session Fixation attacks in Python, the session ID should be regenerated after the user logs in, like this:

				
					session = request.session
if 'id' not in session:
    request.session.cycle_key()
    session['id'] = request.session.session_key

				
			

Examples of exploitation Session Fixation vulnerability

Session fixation is a vulnerability that allows an attacker to fixate (or set) a user’s session ID to a known value, which the attacker can then use to hijack the user’s session. Some examples of exploiting this vulnerability include:

  1. Phishing: An attacker can send a phishing email to the victim that contains a link to the application, but with a pre-determined session ID. If the victim clicks on the link, the attacker can take over their session.

  2. Cross-site scripting (XSS): If an attacker is able to inject malicious code into a page on the application, they can set the victim’s session ID to a known value, and then redirect the victim to the application.

  3. Man-in-the-middle (MITM) attack: An attacker intercepts the communication between the user and the application, modifies the session ID in transit, and then forwards it to the application.

  4. Session fixation through social engineering: An attacker can trick the victim into clicking on a link that sets their session ID to a known value, for example, by disguising the link as a legitimate login link.

Privilege escalation techniques for Session Fixation

Privilege escalation techniques for session fixation involve using the fixed session ID to gain higher levels of access or permissions within the application. Some common techniques include:

  1. Session hijacking: After fixing the victim’s session ID, an attacker can hijack the session to gain access to the victim’s account and perform actions that they are authorized to do, but the attacker is not.

  2. Session replay: An attacker can use the fixed session ID to replay a session that belongs to a user with higher privileges, allowing the attacker to perform actions that they are not authorized to do.

  3. Cookie manipulation: By fixing the session ID and manipulating cookies, an attacker can gain access to administrative features or sensitive information that they would not normally have access to.

  4. Brute-force attacks: An attacker can use the fixed session ID to repeatedly attempt to login as the victim, guessing the victim’s password until they gain access to the account.

It’s important to note that to execute these techniques, the attacker must first fixate the victim’s session ID using one of the techniques I mentioned in my previous answer.

General methodology and checklist for Session Fixation

The general methodology and checklist for detecting and mitigating session fixation vulnerabilities include the following steps:

  1. Identification: Identify the web application pages that use sessions and determine the session ID generation method. Determine the scope of the session fixation attack by analyzing the application’s authentication and session management mechanisms.

  2. Reproduction: Attempt to reproduce the session fixation vulnerability by following the steps an attacker would take. This involves identifying an initial session ID and then attempting to fixate the session ID by providing the victim with a new, fixed session ID.

  1. Analysis: Analyze the vulnerability by examining the application’s code and the network traffic between the client and server. Identify the root cause of the vulnerability and determine the impact it has on the application.

  2. Mitigation: Mitigate the vulnerability by implementing best practices for session management, such as regenerating session IDs after authentication, limiting the lifespan of sessions, and using secure random numbers for session IDs. Other mitigation techniques may include implementing multi-factor authentication and monitoring the application for suspicious activity.

  3. Testing: Test the application to verify that the vulnerability has been properly mitigated. This may involve testing the application for other vulnerabilities that are related to session management, such as session hijacking or session replay attacks.

  4. Maintenance: Monitor the application for any new vulnerabilities that may arise and ensure that the mitigation techniques continue to be effective over time.

Tools set for exploiting Session Fixation vulnerabilities

Top 10 Manual Tools for Testing Session Fixation:

• Burp Suite
• OWASP ZAP
• Netsparker
• AppScan
• WebInspect
• Acunetix
• Wapiti
• Skipfish
• Arachni
• Grabber

Top 10 Automatic Tools for Testing Session Fixation:

• OWASP Dependency-Check
• OWASP Dependency-Track
• Nmap
• Metasploit
• Nikto
• Vega
• W3af
• OpenVAS
• Skipfish
• Arachni

Average CVSS score of Session Fixation vulnerabilities

The average CVSS score for Session Fixation vulnerabilities is difficult to determine since the CVSS score can vary depending on the specific vulnerability and its impact. However, in general, Session Fixation vulnerabilities are considered to be of medium to high severity and can have CVSS scores ranging from 4.0 to 9.0 or higher, depending on the specific circumstances.

The Common Weakness Enumeration (CWE)

  1. CWE-384: Session Fixation: An attacker can set the session ID of another user, allowing them to hijack the session and gain unauthorized access.

  2. CWE-287: Improper Authentication: The application fails to authenticate a user’s identity properly, which could lead to session fixation attacks.

  3. CWE-602: Client-Side Enforcement of Server-Side Security: Client-side enforcement of server-side security can be circumvented, leading to session fixation vulnerabilities.

  4. CWE-613: Insufficient Session Expiration: The application fails to expire sessions properly, which could allow attackers to reuse session IDs.

  5. CWE-614: Sensitive Cookie in HTTPS Session Without “Secure” Attribute: Sensitive cookies are transmitted over an unencrypted connection, making them vulnerable to session fixation attacks.

  6. CWE-319: Cleartext Transmission of Sensitive Information: Sensitive information, including session IDs, is transmitted in clear text, which can be intercepted and used to hijack a user’s session.

  7. CWE-522: Insufficiently Protected Credentials: Credentials, including session IDs, are not adequately protected, which could allow attackers to steal them and use them to hijack a user’s session.

  8. CWE-400: Uncontrolled Resource Consumption: An attacker can use a session fixation attack to consume excessive resources on the server, leading to a denial of service.

  9. CWE-653: Insufficient Compartmentalization: The application fails to separate sessions properly, which can lead to session fixation attacks.

  10. CWE-942: Overly Permissive Cross-domain Whitelist: The application permits cross-domain requests from arbitrary domains, which could allow attackers to carry out session fixation attacks.

Session Fixation vulnerabilities exploits

There are various exploits that attackers can use to exploit Session Fixation vulnerabilities. Some of the commonly used exploits are:

  1. Pre-Authentication Session Fixation: The attacker tricks the victim into logging into the application with a known session ID that the attacker has control over.

  2. Session ID Prediction: The attacker predicts the session ID that will be assigned to the victim’s session and sets their own session ID to that value. When the victim logs in, their session ID is the same as the attacker’s.

  3. Session ID Injection: The attacker injects a crafted session ID into the victim’s session, which replaces the legitimate session ID. This can happen when the application fails to validate the session ID before assigning it to the user’s session.

  4. Cross-site Scripting (XSS) with Session Fixation: The attacker injects a script into a vulnerable web page, which sets the session ID to a value that the attacker controls. When the victim visits the page, their session ID is set to the attacker’s value.

Practicing in test for Session Fixation vulnerabilities

Testing for Session Fixation vulnerabilities involves simulating an attack to determine if the application is vulnerable to this type of attack. Here are some steps you can take to test for Session Fixation vulnerabilities:

  1. Identify the session management mechanism used by the application: Before you can test for Session Fixation vulnerabilities, you need to know how the application manages user sessions. Common mechanisms include cookies, URL parameters, and hidden form fields.

  2. Attempt a Session Fixation attack: Once you know the session management mechanism used by the application, attempt a Session Fixation attack by setting your own session ID and then tricking a victim into using that session ID. You can use tools such as Burp Suite, ZAP, or OWASP Mantra to automate the attack.

  3. Verify the vulnerability: Once you’ve attempted a Session Fixation attack, verify whether the application is vulnerable. You can do this by verifying that the victim’s session ID matches the one you set.

  4. Mitigate the vulnerability: If the application is vulnerable, you should take steps to mitigate the vulnerability. This may involve implementing secure session management practices, such as generating a new session ID for each user session and ensuring that session IDs cannot be easily predicted or controlled by an attacker.

For study Session Fixation vulnerabilities

If you’re interested in studying session fixation vulnerabilities, here are some resources that can help you get started:

  1. OWASP Session Management Cheat Sheet: This resource provides an overview of best practices for session management and includes information on common session-related vulnerabilities, including session fixation.

  2. The Web Application Hacker’s Handbook: This book provides a comprehensive guide to web application security testing, including information on session management vulnerabilities and how to identify and exploit them.

  3. OWASP Top Ten Project: The OWASP Top Ten Project is a list of the most critical web application security risks, which includes session management vulnerabilities such as session fixation. This resource provides an overview of these risks and offers guidance on how to mitigate them.

  4. SANS Institute: The SANS Institute offers various training courses on web application security, including a course on “Web Application Penetration Testing and Ethical Hacking,” which covers session management vulnerabilities and other related topics.

  5. Bug bounty programs: Bug bounty programs offered by various companies and organizations can provide an opportunity to practice identifying and reporting session management vulnerabilities in a safe and ethical environment.

By studying these resources and practicing ethical hacking techniques, you can gain a better understanding of session fixation vulnerabilities and how to prevent and mitigate them.

Books with review of Session Fixation vulnerabilities

  1. “Web Application Security, A Beginner’s Guide” by Bryan Sullivan, Vincent Liu, and Michael Cross: This book provides an overview of web application security, including chapters on session management vulnerabilities, including session fixation.

  2. “The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski: This book offers a comprehensive guide to web application security, including coverage of session management vulnerabilities and session fixation attacks.

  3. “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book provides a detailed guide to web application security testing, including coverage of session management vulnerabilities and how to identify and exploit them.

  4. “OWASP Testing Guide v4” by The Open Web Application Security Project: This book provides a guide to web application security testing, including chapters on session management testing and vulnerabilities, such as session fixation.

  5. “Web Application Security, A Complete Guide” by Tejaswini Herath: This book provides a comprehensive overview of web application security, including coverage of session management vulnerabilities and how to prevent and mitigate them.

By reading these books, you can gain a deeper understanding of session fixation vulnerabilities and how to identify and mitigate them.

List of payloads Session Fixation vulnerabilities

Session Fixation is a type of web application vulnerability that allows an attacker to hijack a user’s session. The following are examples of payloads that can be used to exploit this vulnerability:

  1. Attacker-controlled session ID: An attacker can generate a session ID and trick the user into using it by sending a malicious link with the session ID in it. This would allow the attacker to use the same session ID as the user and gain access to their session.

  2. Session ID prediction: An attacker can try to guess the session ID of the user. This can be done by analyzing the session ID generation algorithm used by the web application and predicting the next session ID.

  3. Cross-site scripting (XSS): An attacker can inject a script into a vulnerable web page that sets the session ID to a value controlled by the attacker. This would allow the attacker to use the same session ID as the user and gain access to their session.

How to be protected from Session Fixation vulnerabilities

Here are some examples of Sigma rules and firewall rules that can be used to block or stop Session Fixation vulnerabilities:

• Sigma rule to detect and alert on Session Fixation attempts:

				
					title: Session Fixation Attempt Detected
detection:
  selection1:
    selection:
      field: http.request.method
      pattern: POST
    condition: any
  selection2:
    selection:
      field: http.cookie
      pattern: (JSESSIONID|PHPSESSID)
    condition: any
  selection3:
    selection:
      field: http.set_cookie
      pattern: (JSESSIONID|PHPSESSID)
    condition: any
  selection4:
    selection:
      field: http.response.status_code
      pattern: 3\d\d
    condition: any
  condition: all
falsepositives:
  - Some applications may legitimately use cookies or response codes
  that match the pattern. Adjust the pattern to reduce false positives.

				
			

• Firewall rule to block Session Fixation attempts:

				
					Rule Name: Block Session Fixation Attempts
Action: Block
Source: Any
Destination: Web server IP address
Protocol: TCP
Port: 80, 443
Condition: http.cookie contains "JSESSIONID" or "PHPSESSID"

				
			

• Firewall rule to allow only secure session cookies:

				
					Rule Name: Allow Secure Session Cookies Only
Action: Allow
Source: Any
Destination: Web server IP address
Protocol: TCP
Port: 80, 443
Condition: http.set_cookie contains "secure; HttpOnly"

				
			

Note that the above rules are just examples, and you may need to modify them to suit your specific environment and requirements. Also, it is recommended to test any new rule in a staging environment before applying it to production.

Mitigations for Session Fixation vulnerabilities

Session fixation vulnerabilities can be mitigated by implementing the following measures:

  • Use unique session identifiers: Generate new session identifiers for each user session, and ensure that they are sufficiently random and unpredictable.

  • Use secure session management techniques: Implement secure session management techniques such as session timeouts, cookie attributes like HTTPOnly, and Secure flags.

  • Restrict access to sensitive resources: Restrict access to sensitive resources until a user is authenticated, and invalidate a session after a user logs out.

  • Limit the scope of session identifiers: Ensure that session identifiers have a limited scope, such as for a specific domain or application.

  • Monitor session activity: Monitor session activity for suspicious behavior and automatically terminate sessions that appear to be compromised.

  • Educate users: Educate users about the risks of session fixation and how to protect themselves, such as by logging out after completing their tasks or closing their browser.

Conclusion

In conclusion, session fixation vulnerabilities can pose a serious threat to web applications and user data. However, implementing measures such as using unique session identifiers, secure session management techniques, limiting the scope of session identifiers, and educating users can help mitigate the risks of such vulnerabilities. It is important for developers and web application administrators to be aware of session fixation vulnerabilities and take appropriate measures to protect against them.

Other Services

Ready to secure?

Let's get in touch