3

Starting with OWASP I am learning how session fixation attacks work.

This is the scenario: The attacker has the session ID generated by the server (by logging in for example), and sends a hyperlink with the same session id in it to the victim. Now when the victim logs into it, the attacker gets control over his account.

My doubts are:

  1. When the attacker uses an already existing session ID, doesn't the server know that the session id has already been taken by the attacker?
  2. When the victim logs into the website, what can an attacker do with it? Any examples?
Anders
  • 64,406
  • 24
  • 178
  • 215
KESHAV K
  • 49
  • 1
  • 4

1 Answers1

4

When the attacker uses an already existing session ID, doesn't the server know that the session id has already been taken by the attacker?

The attacker would send a link with a session ID that is either:

  1. not at all registered at the server - i.e. just a random number on the right format, or
  2. for an actual session that is not logged in, so it is not yet associated with any user.

So the attacker never logs in on the site. It would be foolish by the attacker to send a session ID for a session where she is logged in as herself, since that would give the victim control over the attackers account!

When the victim logs into the website, what can an attacker do with it? Any examples?

When the victim loggs in, the session ID in question goes from not being associated with any user to being associated with the victim. Since the attacker knows the session ID, she can now use it to impersonate the victim.

This means that she can do anything the victim could do on the site - create and delete content, edit profiles, whatever. Anything that does not require some form of extra authentications such as retyping your password.

Anders
  • 64,406
  • 24
  • 178
  • 215