Skip to main content

Session Fixation

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server.  The attack permits an attacker to hijack a valid user session.

Overview

The problem occurs when a session ID is used as the sole mechanism that the vulnerable application uses to recognize a user.  An attacker may go to a web application and determine his session ID in a legitimate session.  Thus we have Attacker = ID_1234.  The attacker may then send a URL with that includes that session ID to another user.  When the other user clicks on the link, their session has the same ID that the attacker’s session had (ID_1234).  The real issue here is that if the user logs into their account, their logged-in status is then associated with that session ID.  This means that any attacker can now go to the URL with the embedded session ID and they will be logged in under the Victim’s account and have access to everything that the user would have access to.

Rule Options

Action

  • Protect - For Session Fixation, the only option is Protect, where the Waratek Agent will actively prevent the lookup of the address(es) from succeeding.

Only a single Session Fixation rule is allowed by the Agent.

Log Messaging

The logs provide a message field, which can be customized.  Text entered here is the message that will be seen on the log file’s when the rule has been triggered, regardless or the Action.  If the field is left blank, then the default logging message will be entered into the database.

Severity

The log files allow you to select a custom severity level for the event: Low, Medium, High or Critical.  A severity is required, and there is no default selection.

Advanced Options

Disable Logging - By checking this option, no logging will be performed when a rule is triggered. Subsequently the Portal will not see these events, and they will not appear anywhere in the Portal, nor will they be searchable in Event Storage.

Resources

More information on session fixation can be found at:

  • the OWASP Foundation’s website