Collaborate Disseminate
Threat model:
Malicious user gaining physical access to browser cookies (e.g., 3rd party repair guy copying cookies to his own device or something like that). Let’s say legit user did not clear cookies beforehand.
Possible mitigation:
Pre-… Continue reading Mitigating physical cookie theft
I’m currently testing a web application for a session fixation vulnerability, the web application has an option where users can use a Facebook account to login. I observed that when a person completes the login the server makes a request t… Continue reading Session Fixation when using Facebook SSO
SCENARIO:
When a user browses to the login page the web application sets SESSIONID=X; Httponly; before the authentication.
After the authentication NO new cookies are set. The only cookie used to identify the session is SESSIONID=X.
This s… Continue reading Is there a way to modify the value of a session token with HttpOnly flag set in this scenario?
From PHP Session Management basics:
Proper use of session.use_only_cookies and session_regenerate_id() can
cause personal DoS with undeletable cookies set by attackers. In this
case, developers may invite users to remove cookies and advis… Continue reading How does proper use of session.use_only_cookies and session_regenerate_id() cause personal DoS?
From what I understood and read, the typical scenario is the following:
ATK visits a login page which sets a session ID (realistically a cookie). The attacker already tested that after the login in to the web application this SID remains … Continue reading Is this the only form of session fixation?
From what I understood and read, the typical scenario is the following:
ATK visits a login page which sets a session ID (realistically a cookie). The attacker already tested that after the login in to the web application this SID remains … Continue reading Is this the only form of session fixation?
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:
Session timeout define action window time for a user thus this window represents, in the same time, the de… Continue reading What attacks are prevented using Session Timeout or Expiry?
Is there a way to perform session fixation attack with XSS present if session id is passed in request header?
As far as I see it, theoretically there are three ways to do so:
intercept request on login, substitute session … Continue reading Session id in custom header
Situation
I am the responsible developer for an ASP.NET application that uses the “Membership” (username and password) authentication scheme. I am presented with the following report from a WebInspect scan:
WebInspect has found a sess… Continue reading Hardening ASP.NET against session fixation: Should I change the session ID despite the additional Auth cookie?
I am learning about “Session fixation” and have read the corresponding OWASP page.
In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:
http://website.kom/<script>document…. Continue reading Can a URL contain executable JavaScript?