What is a Session Fixation Attack?

"Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity. " - The Web Application Security Consortium Threat Classifications Project

Acrossecurity wrote the first paper describing the problem which can be found below.
http://www.acrossecurity.com/papers/session_fixation.pdf

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Post a comment







Remember personal info?