Session Fixation Vulnerability

Cookies/session are web application components that are needed during the development phase of the server side of web applications for reasons such as distinguishing and authorizing the users who visit it, keeping the current session for a certain period of time, carrying various information or managing the session. Cookie and session are web application expressions that are used for similar purposes but have some fundamental differences. In terms of security, session usage is generally preferred.

Since cookie information is kept on the client side, care should be taken not to carry sensitive data (user name, password, credit card number, etc.) or values ​​that can be manipulated. When using Session, keeping sensitive data or performing some checks is done on the server side.

When Session is used, an encrypted Session ID value corresponding to the current session is sent to the client side. In this case, although the use of sessions is safe, users' sessions can be obtained by capturing the SessionID value sent to the Client side by attackers. Additionally, care should be taken to ensure that the Session ID value generated when using Session is long enough and consists of complex characters. Otherwise, an active user session can be obtained at that moment by generating values ​​compatible with the current session ID policy. When Session is used, the SessionID values ​​sent to the user are kept in the Cookie HTTP header information and transferred between the client and server.

For each user making a request to the server side, a cookie value with Set-Cookie header information is sent to the client side in the returned http response, and this information is kept in the client browser. Later, in requests made to the server side, this set Cookie value is used. The application server side will also treat the relevant user according to this cookie value. The validity period of the cookie value is also specified in the assigned cookie.

After users authenticate on the target applications, they can connect to the application without requiring repeated authentication by using this Cookie/SessionID value assigned to them. This being the case, attackers who want to log into systems without requiring authentication can use various methods to capture these values.

Various attacks are carried out by targeting Cookie/SessionID information. Many vulnerabilities such as session hijacking, session fixation, cookie theft, exposed session data, cookie attribute manipulation, sessionid-token randomless vulnerability can be exploited to perform operations on behalf of the user. Although Cookie/SessionID information is generated on the server side, it is kept in the browser on the client side. This shows that it can be achieved by running a script for users on the client side. At this stage, XSS vulnerability is a frequently used method.

Again, in some cases, attackers can directly access error logging modules such as almah.axd and trace.axd, which are used by application developers and do not have authentication, without exploiting any technical vulnerabilities, and can hijack the sessions of admin users in the relevant applications by using their sessionID values.

If these values ​​are changed directly to their current values ​​on the browser using cookies manager-like applications, the sessions of these users will be compromised. In this way, direct admin panels or user sessions can be obtained.

The vulnerability we want to specifically mention in this article is the session fixation vulnerability. If the SessionID information sent to the client side when authentication is not performed is not changed after authentication, and only authorization is given to this SessionID value, then there is a session fixation vulnerability. The vulnerability can be exploited with a few simple social engineering methods.

Attackers first use various social engineering methods to allow users whose sessions they want to steal to visit the application with a SessionID value they set. Later, if the victim performs the authentication process on this application, the attacker can hijack the victim's session by setting it for the relevant target application in his own browser, since he knows this sessionID value. Since this sessionID value is already defined in the attacker's own browser, when he calls the application, he will gain access to the application through the victim's session.