cookie based, but URLs and hidden form fields are used as well.

Unfortunately, cookie based sessions are the easiest to attack.  Most

of the currently identified attack methods are aimed toward the

fixation of cookies.

In contrast to stealing a user s session ID after they have logged into

a web site, session fixation provides a much wider window of

opportunity. The active part of the attack takes place before the user

logs in.

Example

The session fixation attack is normally a three step process:

1)  Session set up

The attacker sets up a "trap session" for the target web site and

obtains that session s ID. Or, the attacker may select an arbitrary

session ID used in the attack. In some cases, the established trap

session value must be maintained (kept alive) with repeated web

site contact.

2)  Session fixation

The attacker introduces the trap session value into the user s

browser and fixes the user's session ID.

3)  Session entrance

The attacker waits until the user logs into the target web site.

When the user does so, the fixed session ID value will be used

and the attacker may take over.

Fixing a user's session ID value can be achieved with the following

techniques:

Issuing a new session ID cookie value using a client side script

A Cross site Scripting vulnerability present on any web site in the

domain can be used to modify the current cookie value.

19

Copyright 2004, Web Application Security Consortium. All rights reserved.