Session Fixation Attack

A session fixation attack is a type of remote code execution attack which is used to exploit software designed with the web-server Session Management feature. When a website is running an HTTP server, the server's session state information can be stolen and then retrieved by an attacker to take over the browser or use it for further attacks. There are many tools that can help you detect session fixation attacks in your organization in order to prevent future attacks. A Session fixation attack is also known as Session Fixation Vulnerability (SFV).

In this article, we will see a session fixation attack and why it is important to secure it against attackers. Further, this article will discuss some frameworks and tools that can help you find those vulnerabilities in your system.

Session Fixation Attack:

• A Session fixation attack is an attack that occurs when a malicious user sets up a fake session before the legitimate users are able to log in. This leads to the entire system getting compromised and used to steal sensitive data.
• Session fixation attack is most commonly seen in banking systems, where hackers try to get access by setting up an account with minimum start-up requirements. 
• With this method, they bypass any security measures, like CAPTCHA or fingerprint recognition, that banks might have implemented prior to stealing sensitive data. One of the methods used by banks against session fixation attacks is tokenization, which protects accounts while making it difficult for hackers to use fake credentials.
• A session fixation attack is a type of remote code execution attack which is used to exploit software designed with web-server session management features.
• When a website is running on an HTTP server, the server's session state information can be stolen and then retrieved by an attacker to take over the browser or use it for further attacks.

Why is Session Fixation Dangerous?

• In this attacker can act like a authenticate user, without his username or passwords and they also login his/her account without any credentials
• Many applications or websites do not regenerate the session id's after login which make them vulnerable and attacker easily attack on that websites
• This attack also combine with social engineering and phishing which can lead to trick the user more easily.
• It can also leads to account takeovers, data theft, and identity fraud.

Procedure:

• The attacker creates a malicious HTTP session with the victim's browser, hijacks the client's authentication, and copies the user. 
• The attacker can do this by intercepting HTTP traffic from/to the browser, modifying or replaying existing valid sessions, or engineering a new malicious one. Session theft exploits vulnerabilities in applications that do not properly protect their data. 
• The attacker then accesses and modifies data related to the captured session, such as cookies.
• HTTP protocol features like GET and POST methods provide a way for clients to send information to the server, but it does not contain a mechanism for clients to notify the server that this information has been received. 
• To facilitate this exchange of information, HTTP supports Cookies. Since Cookies are sent back and forth between browser and server at every request/response cycle, we can also use them to hijack clients' sessions with websites.
• Cookies can be used by attackers in order to employ session hijacking attacks, which is exactly what Session Hijacking or Session Fixation attacks are about. Session fixation techniques, such as cross-site scripting (XSS), cross-site request forgery (CSRF), and session stealing, are active threats that are already known in the wild.

Examples

For example, in a session fixation attack, the hacker provides the server with his client's session ID and is able to access any server he wants without the need for proper credentials.

This particular type of attack uses malicious scripts placed on websites to generate random ID sessions which aren't compliant with security standards. Hackers can utilize front-end validation services but are able to bypass them. One way hackers do this is by analyzing browser cookies for other people who were already on-site at one point during their visit, as well as what sites users have recently been to in order to ensure that they can provide the website with a legitimate ID session in order to get around any front end validation service put into place.

Session fixation has been a common attack vector for exploits that utilize the Java applet, which is a program that runs within the user's web browser. The hacker's script is able to detect when the user has left their browser, and can then re-establish a new session with the server.
In order to avoid this type of attack from taking place, users must always set Java security settings to 'high' to prevent this from happening. This basically means that all applications on the user's computer are required to be set up before they will be allowed to run.

How to Detect Session Fixation?

Security testers can use the following methods to find or identify the Session Fixation vulnerabilities:

1. Check Session ID Behavior

• Monitor the session cookies before and after login on the website using the tools Burp Suite or OWASP ZAP .
• Check the session ID remains the same before login and after authentication if the session id remain same and it is vulnerable to Session Fixation.

2. Test URL Manipulation

• You can manually modify the session ID in the URL or cookie to check if it persists after login or not. You can see the below as an example.

https://example.com/login?SESSIONID=XYZ123 # If the session is not regenerated, the site is vulnerable.

3. Automated Scanners

• You can also use the tools like Nikto, Acunetix, or Nessus to detect weak session management or not.

Methods of Performing Session Fixation

There are three main techniques to force a user to use a fixed session:

Method 1. URL-Based Session Fixation

• In this method the attacker can embeds a session ID in the URL and sends a malicious link to the victim that contains a predefined session ID.
• So when the victim clicks the link which was send by the attacker and logs in by the authenticated credentials of his own than the attacker's session ID becomes authenticated.
• Now the attacker use the same session ID to access the victim’s account.

https://example.com/login?SESSIONID=ABC123

Note: If the web application does not regenerate the session ID after login, the attacker can simply use the same ID to access the victim’s account.

How to Prevent URL-Based Session Fixation

• After authentication website need to regenerate the session id always.
• Always use the cookies or tokens so that session IDs not expose in the request.
• Always use the HTTP headers to prevent session ID caching.

Method 2. Hidden Form Fields

• In this method the attacker injects a hidden session ID into an HTML login form of the website.
• The victim unknowingly submits the attacker's session ID during login.
• The server does not regenerate the session ID, allowing the attacker to reuse it. See the below example to see how it works

<form action="https://example.com/login" method="POST">
 <input type="hidden" name="SESSIONID" value="ABC123">
 <input type="text" name="username">
 <input type="password" name="password">
 <input type="submit" value="Login">
</form>

• So when the victim submits their username and password in the form the session ID remains same attacker's session ID.
• The attacker can then reuse this session ID to access the victim's account to do the malicious activity on the account.

How to Prevent Hidden Form-Based Session Fixation

• Always use the anti-CSRF tokens so that we can verify the form submissions of every user.
• Validate all session IDs on the server side.

Method 3. Cookie-Based Session Fixation

• In this the attacker use the malicious JavaScript or MITM attacks so they can forces a victim’s browser to accept a predefined session ID generated.
• The attacker can hijack the session if the web application does not refresh the session ID after login. See the below example:

document.cookie = "SESSIONID=ABC123; path=/; domain=example.com";

• If this script executes on a vulnerable website so the victim will use the attacker's session ID upon logging in.
• After that the attacker can then use the same session ID to access the victim’s account.

How to Prevent Cookie-Based Session Fixation:

• We can set cookies with HttpOnly and use the Secure flags to prevent JavaScript access.
• We can also implement the Content Security Policy (CSP) to mitigate XSS attacks on the websites or applications.
• Use the SameSite=Strict cookies to prevent cross-site session fixation attacks.

Session Fixation vs. Session Hijacking

Session hijacking and session fixation are two types of session-based security attacks that are different in how they leverage user sessions. In session hijacking, a malicious actor acquires an active session ID to impersonate a targeted user and gain access to restricted areas.In Session fixation is when an attacker uses different methods to make a victim session with a known or predetermined session ID that the attacker can control after the potential target logs in. Although both can lead to identity theft, unauthorized access, and data loss, they differ in their approaches, as well as their need for tailored preventative measures.

Conclusion: 

There are several tools and frameworks you can use to detect Session Fixation attacks, but normally this kind of attack is detected by your security team or analysts. You need to be alert to invalid sessions and take measures to secure them against attacks. One of the most common ways is using Sessions Control page(s) or malicious scripts that detect whether a session is fixated or not.