Session Fixation and Session Hijacking
Session Fixation
Session fixation attack permits an attacker to hijack a valid user session. Here, attack explores a limitation in a way that the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (eg :- by connecting to the application), including a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge to the used session ID. The attacker has to provide legitimate web application session ID and try to make the victim’s browser use it.
Mitigation
- Ensure developers, that they assign a different session cookie immediately after a user authenticates to the web application.
- Also verify that, they do not include the cookie value in the URL.
Session Hijacking
Session hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. This attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the web server.
For example :- Session Hijacking - HTTP only XSS
The session could be compromised in different way and the most common ways are :-
- Predictable session token.
- Session sniffing.
- Client side attacks (XSS, Malicious JS codes, Trojans etc.)
- Man-in-the-middle attack (MITM).
- Man-in-the-browser attack (MITB).
Mitigation
- Encrypting all data transmitted on a webpage.
- Using HTTP certification on webpages and websites.
- Implement HTTPOnly and Secure Cookie flags.
