CAPEC-61 - Session Fixation

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Time and State
  • Injection
  • Purposes 1
  • Penetration
  • Sec Principles 3
  • Complete Mediation
  • Reluctance to Trust
  • Defense in Depth
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives.

Session identifiers that remain unchanged when the privilege levels change.

Permissive session management mechanism that accepts random user-generated session identifiers

Predictable session identifiers

None

Determining whether the target application server accepts preset session identifiers is relatively easy. The attacker may try setting session identifiers in the URL or hidden form fields or in cookies, depending upon application design. Having access to an account or by utilizing a dummy account, the attacker can determine whether the preset session identifiers are accepted or not.

With code or design in hand, the attacker can readily verify whether preset session identifiers are accepted and whether identifiers are regenerated, and possible destroyed, when privilege levels change.

Never Use Unvalidated Input as Part of a Directive to any Internal Component

Step 1 - Setup the Attack

Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers..

Tecnique ID: 1 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

The attacker chooses a predefined identifier that he knows.

Tecnique ID: 2 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

The attacker creates a trap session for the victim.

Indicator ID: 1 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Positive

The application accepts predefined, or user-provided session IDs

Indicator ID: 2 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Negative

The application ignores predefined, or user-provided session IDs and provides new session IDs.


Security Control ID: 1

Type: Detective

Detect and alert on users who provide unknown session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame.

Security Control ID: 2

Type: Detective

Detect and alert on multiple origins connecting with the same predefined session ID.


Outcome ID: 1

Type: Success

A trap session or a predefined session ID is established.



Step 1 - Attract a Victim

Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways..

Tecnique ID: 1 - Environment(s) env-Web

Attackers can put links on web sites (such as forums, blogs, or comment forms).

Tecnique ID: 2 - Environment(s) env-Peer2Peer env-ClientServer env-CommProtocol

Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.

Tecnique ID: 3 - Environment(s) env-Web

Attackers can email attack URLs to potential victims through spam and phishing techniques.

Security Control ID: 1

Type: Detective

Record referrers from web clients that connect with predefined session IDs. Alert when referrers do not match known, acceptable sites.


Outcome ID: 1

Type: Success

A victim makes a connection according to the attackers' design.



Step 1 - Abuse the Victim's Session

Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier..

Tecnique ID: 1 - Environment(s) env-Web

The attacker loads the predefined session ID into his browser and browses to protected data or functionality.

Tecnique ID: 2 - Environment(s) env-CommProtocol env-ClientServer env-Peer2Peer

The attacker loads the predefined session ID into his software and utilizes functionality with the rights of the victim.

Security Control ID: 1

Type: Detective

Detect and alert on multiple simultaneous uses of the same session ID from different origins.

Security Control ID: 2

Type: Corrective

Disconnect all simultaneous users of the same session ID when they arrive from different origins.


Outcome ID: 1

Type: Success

The attacker gains access to data or functionality with the rights of the victim.



Regenerate session identifiers upon each new request. This ensures that fixated session identifiers are rendered obsolete.

Regenerate a session identifier every time a user enters an authenticated session and destroy the identifier when the user logs out of an authenticated session.

Set appropriate expiry times on cookies that contain session identifiers. This helps limit the window of opportunity for an attacker to use the identifier.

Do not use session identifiers as part of URLs or hidden form fields. It becomes easy for an attacker to trick a user into a fixated session when session identifiers are easily accessible.

Authenticate every transaction by requesting credentials. This ensures that only a legitimate user of the application can proceed with the transaction. If an attacker seeks to perform any such authenticated transaction, valid credentials will be required even though session fixation may have been successful earlier.

Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.

Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.

Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.