Fixed HTTP Session Cookies

medium Nessus Plugin ID 46201

Synopsis

The remote web application is affected by a session fixation vulnerability.

Description

The remote web application uses cookies to track authenticated users.
If the session cookie is already present before authentication, it remains unchanged after a successful login. A remote attacker can exploit this to hijack a valid user session.

Session cookies are expected to be unpredictable in a secure web application. If HTTP cookies can be manipulated (by injecting client- side JavaScript for example) then the attacker does not have to break the pseudo-random generator, and the web application is vulnerable to a 'session fixation' attack.

Solution

Fix the application so that the session cookie is re-generated after successful authentication.

See Also

https://en.wikipedia.org/wiki/Session_fixation

https://www.owasp.org/index.php/Session_Fixation

http://phpsecurity.org/ch04.pdf

Plugin Details

Severity: Medium

ID: 46201

File Name: fixed_session_cookies.nasl

Version: 1.10

Type: remote

Family: Web Servers

Published: 4/30/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L