Skip to main content
Version: 6.12.0

Session Fixation

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server.  The attack permits an attacker to hijack a valid user session.

Overview

The problem occurs when a session ID is used as the sole mechanism that the vulnerable application uses to recognize a user.  An attacker may go to a web application and determine his session ID in a legitimate session.  Thus we have Attacker = ID_1234.  The attacker may then send a URL with that includes that session ID to another user.  When the other user clicks on the link, their session has the same ID that the attacker's session had (ID_1234).  The real issue here is that if the user logs into their account, their logged-in status is then associated with that session ID.  This means that any attacker can now go to the URL with the embedded session ID and they will be logged in under the Victim's account and have access to everything that the user would have access to.

Rule Options

Action

  • Protect - For Session Fixation, the only option is Protect, where the Waratek Agent will actively prevent the lookup of the address(es) from succeeding.

Only a single Session Fixation rule is allowed by the Agent.

Resources

More information on session fixation can be found at:

  • the OWASP Foundation's website