- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
Session Fixation is an attack technique that forces a user's session
ID to an explicit value. Depending on the functionality of the target
web site, a number of techniques can be utilized to "fix" the session
ID value. These techniques range from Cross-site Scripting exploits
to peppering the web site with previously made HTTP requests. After
a user's session ID has been fixed, the attacker will wait for them to
login. Once the user does so, the attacker uses the predefined
session ID value to assume their online identity.
Generally speaking there are two types of session management
systems when it comes to ID values. The first type is "permissive"
systems that allow web browsers to specify any ID. The second type
is "strict" systems that only accept server-side generated values. With
permissive systems, arbitrary session IDs are maintained without
contact with the web site. Strict systems require the attacker to
maintain the "trap-session", with periodic web site contact, preventing
Without active protection against session fixation, the attack can be
mounted against any web site using sessions to identify
authenticated users. Web sites using sessions IDs are normally
cookie-based, but URLs and hidden form-fields are used as well.
Unfortunately, cookie-based sessions are the easiest to attack. Most
of the currently identified attack methods are aimed toward the
fixation of cookies.
In contrast to stealing a user's session ID after they have logged into
a web site, session fixation provides a much wider window of
opportunity. The active part of the attack takes place before the user
The session fixation attack is normally a three step process:
1) Session set-up
The attacker sets up a "trap-session" for the target web site and
obtains that session's ID. Or, the attacker may select an arbitrary
session ID used in the attack. In some cases, the established trap
session value must be maintained (kept alive) with repeated web
2) Session fixation
The attacker introduces the trap session value into the user's
browser and fixes the user's session ID.
3) Session entrance
The attacker waits until the user logs into the target web site.
When the user does so, the fixed session ID value will be used
and the attacker may take over.
Fixing a user's session ID value can be achieved with the following
Issuing a new session ID cookie value using a client-side script
A Cross-site Scripting vulnerability present on any web site in the
domain can be used to modify the current cookie value.
Issuing a cookie using the META tag
This method is similar to the previous one, but also effective when
Cross-site Scripting countermeasures prevent the injection of HTML
script tags, but not meta tags.
Issuing a cookie using an HTTP response header
The attacker forces either the target web site, or any other site in the
domain, to issue a session ID cookie. This can be achieved in many
- Breaking into a web server in the domain (e.g., a poorly
maintained WAP server)
- Poisoning a user's DNS server, effectively adding the attacker's
web server to the domain
- Setting up a malicious web server in the domain (e.g., on a
workstation in Windows 2000 domain, all workstations are also
in the DNS domain)
- Exploiting an HTTP response splitting attack
Note: A long-term Session Fixation attack can be achieved by issuing
a persistent cookie (e.g., expiring in 10 years), which will keep the
session fixed even after the user restarts the computer.
"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security
"Divide and Conquer", By Amit Klein - Sanctum
To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Session Fixation attack vulnerability test.