icon

Session Fixation

Last modified: 2023-04-15

Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier.

Exploitation

1. Attacker Logins Website to Get the Session

An attacker need to login to a legitimate website then get the session value.

Cookie: sessid=abcdef

2. Attacker Sends the Session Value to Victim

There are various way to send the attacker’s session value. For example,

  • Send email.

  • Predict a session value.

  • Eavesdrop a session using packet sniffer such as Wireshark.

  • XSS

    <script>document.cookie = ATTACKERS_SESSION_ID</script>
    

3. Victim Logins with Attacker’s Session

If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website.