Is there a way to perform session fixation attack with XSS present if session id is passed in request header?
As far as I see it, theoretically there are three ways to do so:
- intercept request on login, substitute session id (have not found any ways to do with JS without additional installations for client like service workers which I couldn't make work yet or browser extensions)
- intercept response from the server and substitute session id that was offered by the server (also no information on that one expect for above options).
- get session id from local storage (at the moment it's not clear where the session cookie is stored) а. overwrite localStorage with setItem b. overwrite sessionStorage with setItem c. overwrite document.cookie d. if custom way of storing session is used, reverse engineer the client code to find out how and use in XSS. I understand that custom header is not the standard way to operate with sessions, therefore the responsibility for storing and getting saved session ids is on the client JS. So, there must be a way to overwrite local storage with cookies.
If my outline of available options is correct (please, correct me if there was a mistake), of all options the only one that seems real is attacking the storage. In this article it's said that:
As we can see, the session token is sent in a custom HTTP header X-AUTH-TOKEN. Sending session tokens in custom HTTP headers, protect applications from Cross-site Request Forgery (CSRF) attacks. Unfortunately, the fact that globals cookie, storing the token, must be available from javascript, in order to be included with a request, makes the application exceptionally vulnerable to token theft.
As for local storage attack, I generally understand, but what about intercepting requests and responses and changing them on the fly? As far as I understand, to intercept requests and responses there must be a malicious browser extension installed on the client. We certainly cannot set custom header from HTML, the only option left - JS (I know XHR can do that, but that would be a separate request which is not an option with session fixation). But how exactly and whether at all it can be done, is not yet clear to me. Are there ways to do that? Can anyone give some piece of advice on this one?