Session fixation

Medium Web Application Scanning Plugin ID 98102

Synopsis

Session fixation

Description

HTTP by itself is a stateless protocol; therefore, the server is unable to
determine which requests are performed by which client and which clients are
authenticated or unauthenticated.

The use of HTTP cookies within the headers allows a web server to identify each
individual client and can thus determine which clients hold valid authentication
from those that do not.
These are known as session cookies or session tokens.

To prevent clients from being able to guess each other's session token, each
assigned session token should be entirely random and be different whenever a
session is established with the server.

Session fixation occurs when the client is able to specify their own session
token value and the value of the session cookie is not changed by the server
after successful authentication.
Occasionally, the session token will also remain unchanged for the user independently
of how many times they have authenticated.

Cyber-criminals will abuse this functionality by sending crafted URL links with a
predetermined session token within the link. The cyber-criminal will then wait
for the victim to login and become authenticated.
If successful, the cyber-criminal will know a valid session ID and therefore have
access to the victim's session.

Scanner has discovered that it is able to set its own session token.

Solution

The most important remediation action is to prevent the server from accepting client supplied data as session tokens.
Additionally, the client's session token should be changed at specific key stages of the application flow, such as during authentication. This will ensure that even if clients are able to set their own cookie, it will not persist into an authenticated session.

See Also

http://projects.webappsec.org/w/page/13246960/Session%20Fixation

Plugin Details

Severity: Medium

ID: 98102

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference Information