Session Fixation - The Forgotten Vulnerability?
نویسندگان
چکیده
The term ‘Session Fixation vulnerability’ subsumes issues inWeb applications that under certain circumstances enable the adversary to perform a session hijacking attack through controlling the victim’s session identifier value. We explore this vulnerability pattern. First, we give an analysis of the root causes and document existing attack vectors. Then we take steps to assess the current attack surface of Session Fixation. Finally, we present a transparent server-side method for mitigating vulnerabilities.
منابع مشابه
Session Fixation Vulnerability in Web-based Applications
Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with respective users by session identifiers (IDs). Naturally, session IDs present an attractive target for attackers, who, by obtaining them, effectively hijack users’ identities. Knowing that, web servers are employing techniques for protecting...
متن کاملOrigin Cookies: Session Integrity for Web Applications
Virtually every web site on the Internet uses cookies to maintain session state between HTTP requests. Unfortunately, cookies have a serious design flaw which limits their security. In particular, cookies can not provide session integrity against an attacker who can host content on a related domain. This type of attacker is surprisingly common and problematic, yet existing proposals and best pr...
متن کاملSerene: Self-Reliant Client-Side Protection against Session Fixation
The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user’s account. T...
متن کاملSecurity testing of session initiation protocol implementations
The mechanisms which enable the vast majority of computer attacks are based on design and programming errors in networked applications. The growing use of voice over IP (VOIP) phone technology makes these phone applications potential targets. We present a tool to perform security testing of VOIP applications to identify security vulnerabilities which can be exploited by an attacker. Session Ini...
متن کاملPrevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials
Many cyber-physical applications are responsible for safety critical or business critical infrastructure. Such applications are often controlled through a web interface. They manage sensitive databases, drive important SCADA systems or represent imperative business processes. A vast majority of such web applications are well-known to be vulnerable to a number of exploits. The focus of this pape...
متن کامل