Last modified: 2023-04-15
Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier.
An attacker need to login to a legitimate website then get the session value.
There are various way to send the attacker’s session value. For example,
Predict a session value.
Eavesdrop a session using packet sniffer such as Wireshark.
<script>document.cookie = ATTACKERS_SESSION_ID</script>
If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website.