browser s page history and view pages accessed by the victim. Since

the victim s session ID has not been expired, the attacker would be

able to see the victim s session without being required to supply

authentication credentials.

References

 Dos and Don'ts of Client Authentication on the Web , Kevin Fu, Emil

Sit, Kendra Smith, Nick Feamster   MIT Laboratory for Computer

Science

http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

2.4  Session Fixation

Session Fixation is an attack technique that forces a user s session

ID to an explicit value. Depending on the functionality of the target

web site, a number of techniques can be utilized to  fix  the session

ID value. These techniques range from Cross site Scripting exploits

to peppering the web site with previously made HTTP requests. After

a user s session ID has been fixed, the attacker will wait for them to

login. Once the user does so, the attacker uses the predefined

session ID value to assume their online identity.

Generally speaking there are two types of session management

systems when it comes to ID values. The first type is "permissive"

systems that allow web browsers to specify any ID. The second type

is "strict" systems that only accept server side generated values. With

permissive systems, arbitrary session IDs are maintained without

contact with the web site. Strict systems require the attacker to

maintain the  trap session , with periodic web site contact, preventing

inactivity timeouts.

Without active protection against session fixation, the attack can be

mounted against any web site using sessions to identify

authenticated users. Web sites using sessions IDs are normally

18

Copyright 2004, Web Application Security Consortium. All rights reserved.