0

Just found session fixation vulnerability in couple of tech giants. Giving the steps I have done:

1. Login to your account in a browser (Browser 1). 2. Extract cookie using cookie extractor. 3. Import the cookie to different browser (Browser 2). 4. You logged into your account without password.

Note: In some cases, I am able to login into second browser even after logout from first browser (Both browser is having same cookies to connect as I imported the cookie from first browser to second browser). 

Question 1: Why this is happening? 
Question 2: Probable way's for resolve this issue. 
Question 3: Is this even a session fixation vulnerability? 
Question 4: Should I report it to their bug bounty program?
Shakir
  • 185
  • 2
  • 13

1 Answers1

1

Question 1: Why this is happening?

Your session is only bound to a session cookie, not to the IP or any browser details. This is entirely common - even Github does that. (Using additional properties to bind the session can have undesired consequences, e.g. it could lead to random logouts when a user updates their browser or changes their IP.)

Question 2: Probable way's for resolve this issue.

It's not a major security issue. Copying cookies from one browser to another requires access to a browser's cookie storage which an ordinary attacker doesn't have. If you still want to ensure that a user can't reuse their session in a different browser you could bind additional properties, e.g. invalidate a session as soon as the User-Agent header changes.

Question 3: Is this even a session fixation vulnerability?

No, it's not. In a session fixation attack you force a known session ID on an (unauthenticated) victim. This ID remains valid after the victim logs in so that you can reuse it to be authenticated as the victim yourself. But without an additional vulnerability there is no way to inject the session cookie into the victim's browser in the first place. The OWASP page on it has some examples that show which possible preconditions can lead to a session fixation vulnerability.

Question 4: Should I report it to their bug bounty program?

Most likely it's out of scope. With the hordes of bug bounty hunters you have to expect that issues like these are already covered on high-profile sites and if they persist it's by design.

In some cases, I am able to login into second browser even after logout from first browser.

A logout should invalidate the current session but not necessarily terminate all other active sessions. Just because you log out from Github on your phone, you don't necessarily want to be logged out in your browser, too.

This demo shows on the example of Github that copying the same session cookie from one client to another is often permitted:

  • Login on Github.
  • Copy user session cookie user_session from the browser's cookie jar. (You can't do it with JS because the cookie is HttpOnly.)
  • $ curl -b "user_session=[your session id]" https://github.com/
  • You will find that the HTML response is still authenticated. (You should see your own username and your repositories in the code.)
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Both browser is having same cookies to connect as I imported the cookie from first browser to second browser. In that case, when session is destroyed (as user logs out) in first browser, user from second browser must be logs out also. Isn't it? – Shakir Mar 16 '17 at 05:49
  • @Shakir If the session ID stays the same, I'd expect that, yes. But it could be that one of the IDs changes during the session, making them different. You'd have to check that. – Arminius Mar 16 '17 at 05:51
  • Nope, values are not changing. I extracted the inserted cookie at the second browser and compared with the first browsers cookie. It doesn't change. In one case, i could be able to use the same cookie(cookie found in logged in state from 1st browser) to login from different browser at several times onward. Even after 3/4 day i was able to login using the same cookie. In that case session value was not changed. By the way, this case's website is pretty much big like GIT. Now tell me, can it be a vulnerability where they wont destroy the logged out session and save it for uncertain time? – Shakir Mar 16 '17 at 05:59
  • @Shakir Yes that could be considered a (moderate) vulnerability. Also have a look at OWASP's chapter on [session expiration](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_Expiration). – Arminius Mar 16 '17 at 06:04
  • By the way, nice explanation @Arminius – Shakir Mar 16 '17 at 06:07