Wednesday, January 6, 2016

What is Session Fixation Attack ?

When a user authenticates himself to a server, a session cookie is placed in his computer. For subsequent requests in the session, the information kept in the cookie is used.

In Session Fixation Attack, an attacker exploits security vulnerability in the web application and fixes the session key of the user to some predefined value, so that the attacker can later log in to the server and impersonate the user to steal sensitive information and perform more attacks.







Let's understand how the attacks are performed, with a couple of examples.




Example 1 :

  • The attacker finds out the web application has security vulnerabilities. It accepts any session
    identifier especially accepts session identifier from query strings and does not do security validation properly.
  • The attacker now uses some social engineering and sends the victim a link containing the predefined session key. He convinces the victim to click on the link, for example by saying, it's a link of some new features in the bank.
  • The victim clicks on the link and a login window appears.
  • The victim logs in and the session key is set with the value the attacker provided.
  • The attacker can now log in and get unlimited access to the victim's account. The attacker can now steal sensitive information or perform more attacks.




Example 2 :

  • The attacker logs in to the server and notes down the session key.
  • The attacker sends a link containing the session key to the victim using similar social engineering tricks.
  • The victim clicks on the link and logs in to the server.
  • The victim's session key is set to the session key sent by the attacker.
  • The attacker can now login to the server impersonating the victim.


Please note that, here the attacker is using a server generated session id instead of a random one. So, even if a server accepts only server generated session keys, it is not safe from Session Fixation Attacks.




Example 3 :

  • A website vulnerable.com gives a subdomain unrusted.vulnerable.com to an untrusted third party.
  • The attacker has control over the website untrusted.vulnerable.com and he lures the victim to visit utrusted.vulnerable.com
  • When the victim visits untrusted.vulnerable.com, a cookie is set on his browser with the domain .vulnerable.com
  • The victim now visits vulnerable.com and the same cookie is sent to the server.
  • The server accepts the cookie as it is with the domain .vulnerable.com
  • But, this session key is known to the attacker. So, the attacker logs in to the server and impersonates the victim.


How to prevent Session Fixation Attack ?


We can take a couple of steps to prevent this attack.

  • Web applications should not accept session identifiers from GET or POST variables. They will rather simplify the attacks.
  • Web applications should change the session key once a user logs in. This will limit the attackers even if they manage to fix session key of anonymous users.
  • Web applications can change the cookie with each and every request made by the user's computer. This will limit the attacker to a great extent, as he can do little with fixing a single session key.
  • Web applications should not accept any random number as session key. Instead, they should accept only server generated session keys.
  • Users should always log out of the web applications, as soon as they are done using them.
  • Web applications should time-out old session keys. This will reinforce the security.
  • Web applications should destroy the session, if Referrer is suspicious.
  • Web applications should use secondary checks like matching the IP address with that of the previous session etc, to increase the security.
  • And, using more than one of the methods stated above will always reinforce the security better.


So, beware of various vulnerabilities so that you can protect your information in a better way and stay safe, stay secured.

No comments:

Post a Comment