Skip to content

Testing for Session Fixation

OWASP Web Security Testing Guide 4.2 > 6. Session Management Testing > 6.3. Testing for Session Fixation

ID Link to Hackinglife Link to OWASP Description
6.3 WSTG-SESS-03 Testing for Session Fixation - Analyze the authentication mechanism and its flow. - Force cookies and assess the impact. - Check whether the application renew the cookie after a successfully user authentication.

Session fixation is a web application security attack where an attacker sets or fixes a user's session identifier (session token) to a known value of the attacker's choice. Subsequently, the attacker tricks the victim into using this fixed session identifier to log in, thereby granting the attacker unauthorized access to the victim's session.

The attacker obtains a session token issued by the target web application. This can be done in several ways, such as:

  • Predicting or guessing the session token: Some web applications generate session tokens that are easy to predict or lack sufficient randomness.
  • Intercepting the session token: If the application doesn't use secure channels (e.g., HTTPS) to transmit session tokens, an attacker may intercept them as they travel over an insecure network, such as an open Wi-Fi hotspot.

With a session token in hand, the attacker sets or fixes the victim's session token to a known value that the attacker controls. This value could be one generated by the attacker or an existing valid session token.

The attacker lures the victim into using the fixed session token to log in to the web application. This can be accomplished through various means:

  • Sending the victim a link that includes the fixed session token.
  • Manipulating the victim into clicking on a specially crafted URL.
  • Social engineering tactics to convince the victim to log in under specific circumstances.

Once the victim logs in with the fixed session token, the attacker can now hijack the victim's session. The web application recognizes the attacker as the legitimate user since the session token matches what is expected.

Mitigation

  • Implementing a session token renewal after a user successfully authenticates.
  • The application should always first invalidate the existing session ID before authenticating a user, and if the authentication is successful, provide another session ID.
  • Prevent "forced cookies" with full HSTS adoption.
Last update: 2024-04-02
Created: December 26, 2023 19:00:18