4

Recently I was musing on the problem and realized that I cannot think of a plausible scenario for a session fixation attack against a PHP application running with default settings.

Given session.use_only_cookies's default value is On, an attacker cannot just use a GET request. What are other options? Javascript will require both session.cookie_httponly to be Off and also a working XSS. The only other way I can think of is a script on the site but if we already have a shell, why bother with sessions?

I am not arguing against the use of session_regenerate_id() but an impressive example demonstrating why it's an absolute necessity always helps.

Anders
  • 64,406
  • 24
  • 178
  • 215
Your Common Sense
  • 726
  • 3
  • 13

1 Answers1

1

The only other way I can think of is a script on the site but if we already have a shell, why bother with sessions?

You wouldn't. If you have code exec, there are worse things you could do.

But an attacker isn't the only one who can write code. I have seen code similar to this a couple of times in PHP applications:

session_id([userinput]);

This then introduces a session fixation vulnerability. If session_regenerate_id were used on login, it would at least reduce the impact.

Javascript will require both session.cookie_httponly to be Off and also a working XSS.

If you have XSS, there are worse things that can happen than session fixation.

But as with the PHP code example above, one could imagine JS code from the application reading a user-supplied value and setting it as cookie. You might also have a limited XSS issue which eg only allows injection in a meta tag, via which you could eg set cookies.

tim
  • 29,018
  • 7
  • 95
  • 119