Can you give me an example of a session fixation attack? - McMap

About

Can you give me an example of a session fixation attack?

Asked 13/7, 2009 at 21:10 Answered 13/7, 2009 at 21:13

Solved security session-fixation

C

1

9

I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?

Caucasus answered 13/7, 2009 at 21:10 Comment(0)

P

31

I don't usually like to post links to Wikipedia, but here's a link to a very good explanation on Wikipedia...

Here's the meat of it:

Alice has an account at the bank http://unsafe/. Unfortunately, Alice is not very security savvy.
Mallory is out to get Alice's money from the bank.
Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.
1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

Pentahedron answered 13/7, 2009 at 21:13 Comment(6)

@Pentahedron This would mean that if the bank site does create session ids , and do nout just accept any session id ,then this attack is not possible or am I missing some thing here ? – Pulpiteer 23/7, 2012 at 15:56

Even if the bank only accepts IDs that it generated, Alice is not safe. Mallory can visit the bank's site to obtain a bank-generated session ID, and then use that in the link that he sends to Alice. See the linked Wikipedia article for details on how to defend against session fixation attacks. – Pentahedron 24/7, 2012 at 8:13

@Pentahedron and the bank would generate a new session id... Am I missing something here? – Ratel 12/10, 2014 at 23:11

Wait. I think I get it. Sorry. But this means the bank doesn't issue a token but that it grants permissions to the session when somebody logs in. Which is silly. – Ratel 12/10, 2014 at 23:14

I do understand this, but I don't get the key thing, that is, how does "unsafe" server know this is Alice? Does Alice send any cookie with the SID, or she specifies it in the query string? Why Mallory does not just get the Alice's SID? – Drews 20/7, 2016 at 18:25

@Adam: "accepts any session identifier" ... "Alice logs on" – Pentahedron 20/7, 2016 at 20:17

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.