0

SCENARIO:

When a user browses to the login page the web application sets SESSIONID=X; Httponly; before the authentication.

After the authentication NO new cookies are set. The only cookie used to identify the session is SESSIONID=X.

This should mean that the webapp is vulnerable to the session fixation attack. I want to develop a complete attack so I need a way to programmatically modify the value of SESSIONID.

The server doesn't use security headers (X-XSS-Protection, etc.), so the login page can be inserted into an iframe and XSS are not blocked.

Is there a way to change the value of SESSIONID when the victim access the login page through attacker web server?

Maicake
  • 497
  • 1
  • 3
  • 13
  • might not be enough info here to answer this... in general cookies will only be sent to the server that set them, but this does depend on a few different settings. (same-site attribute for one, and how the cookie's domain is set... as well as secure only) If cross site is allowed then seems like you could modify the subsequent pages to redirect requests to an attacker's site. – pcalkins Mar 30 '22 at 21:30

1 Answers1

0

Is there a way to change the value of SESSIONID when the victim access the login page through attacker web server?

Nope. When the victim visits attacker's web server and loads the iframe, victim's browser directly establishes new connection (such as HTTP request) to the website inside the iframe, not by going through attacker's website first then the real website.

maximillian1
  • 48
  • 4