Abstract:
|
Many web-based applications employ some
kind of session management to create a user-friendly environment.
Sessions are stored on server and associated with respective
users by session identifiers (IDs). Naturally, session
IDs present an attractive target for attackers, who, by
obtaining them, effectively hijack users' identities. Knowing
that, web servers are employing techniques for protecting
session IDs from three classes of attacks: interception,
prediction and brute-force attacks. This paper reveals
a fourth class of attacks against session IDs: session
fixation attacks. In a session fixation attack, the attacker
fixes the user's session ID before the user even logs into
the target server, thereby eliminating the need to obtain
the user's session ID afterwards. There are many ways for
the attacker to perform a session fixation attack, depending
on the session ID transport mechanism (URL arguments, hidden
form fields, cookies) and the vulnerabilities available
in the target system or its immediate environment. The
paper provides detailed information about exploiting vulnerable
systems as well as recommendations for protecting them
against session fixation attacks.
CNET published an article on session fixation
(Aug 2006) |
