Session fixation through a cookie injection

Session fixation is a vulnerability that relies on re-use of a session ID. First, the attacker must be able to force the victim to use a specific session ID by setting a cookie on their client or by already knowing the value of the victim's session ID. Then, when the victim authenticates, the cookies remain the same on the client. Therefore, the attacker knows the session ID and now has access to the victim's session.

Getting ready

This recipe will require some initial reconnaissance performed against the target site to identify how it's performs authentication, for example through data in the POST requests or through basic auth. It will also require a valid user account to authenticate with.

How to do ...

Get Python: Penetration Testing for Developers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Python: Penetration Testing for Developers by Christopher Duffy, Mohit, Cameron Buchanan, Terry Ip, Andrew Mabbitt, Benjamin May, Dave Mound

Session fixation through a cookie injection

Getting ready

How to do ...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly