software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Java : Session fixation

Classification

OWASP Top 10 2017 A2-Broken Authentication OWASP Top 10 2021 A7-Identification and Authentication Failures OWASP ASVS Session Management PCI DSS 4.0 8.2.8 CWE CWE-384

Overview

Session Fixation is an attack that aims to get a valid user session. This attack exploits incorrect session management in a vulnerable web application.

For example, session data is encoded instead of being encrypted, ostensibly as a security measure. Or the application does not assign a new session ID when authenticating a user. Possible scenario of the attack consists of three stages:

  1. An attacker establishes legitimate connection with the web server and gets a session ID.
  2. This ID is injected as a parameter of URL http://example.com/login?sessionid="qwerty" and sent to a victim.
  3. The victim follows the link and goes through the authentication procedure, as a result of which, the session identifier known to the attacker is set. Now the attacker has access to the data of the victim, requiring authorization.

References

  1. Session fixation
  2. CWE-384: Session Fixation
  3. Control the Session with Spring Security

See also

Java : Insecure direct object references
Java : Bad biometric authentication
Java : Unsafe access to environment variables