AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Session Fixation

The attacker may enter into the application posing as victim, by forcing the victim to authenticate his session cookie

Severity

High

Fix Cost

Low

Trust Level

Low

Session fixation is a weakness that stems from validating the session of a user through login process without changing the existing session identifier. As a side note, session identifiers are used by the application as cookies to remember visiting users since HTTP is not a stateful mechanism.

The code below checks the credentials sent by the user. If the credentials are correct, then Session is marked as authenticated. However, no change is done to the session identifier (cookie).

            
public class AccountController 
{
[HttpPost]
public HttpResponseMessage Login(Credentials credentials)
{
// check credentials form a token
User user = Authenticator.validate(credentials)
if(user.IsValid()){
Session[“login”] = user;	 
// redirect to internal page
}
// return error
}
…
                    
              

If, actually, it was the attacker that persuaded the victim to click a link and go to the application for authentication, he/she has the same session identifier (cookie), too. That means after a valid authentication, since the session identifier doesn’t change, the attacker can also login into the application without knowing the victim’s credentials.

The persuasion of the victim through a link is possible if the web.config contains the ability to give the application and the users to use cookieless states.

                
<configuration>
<system.web>
<sessionState cookieless="true" />
…
                
            

or

            
<configuration>
<system.web>
<authentication>
<forms cookieless="UseUri" … >
...
        
        

When this configuration directive is true then the users can use the application without enabling the cookie mechanism of their browsers. However, this also, led attackers to be able to prepare links for their victims such as;

http://vunlnerable.com/myapp/(S(h9a1s723jfsad83kak373))/login.aspx

Other possible vulnerable values (for ASP.NET 2.0 and onwards) for cookieless attribute are;

  • UseUri
  • UseDeviceProfile
  • AutoDelect

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!