The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

application, and uses some means to fix this token within a victim’s browser.

After the user has logged in, the attacker can use the token to hijack the user’s

session.

The steps involved in a successful session fixation attack are illustrated in

Figure 12-10.

Figure 12-10:  The steps involved in a session fixation attack

The key stage in this attack is of course the point at which the attacker feeds

to the victim the session token that he has acquired, thereby causing the vic-

tim’s browser to use it. There are various techniques that the attacker may use

to fix a specific token for a target user, depending upon the mechanism used

by the application for transmitting session tokens. The two most common

techniques are:

■■

Where an application transmits session tokens within a URL parameter,

the attacker can simply feed the victim the same URL that was issued to

him by the application, for example:

https://wahh-app.com/login.php?SessId=12d1a1f856ef224ab424c2454208

■■

Where an application transmits session tokens using HTTP cookies or

hidden fields in HTML forms, the attacker can exploit a known XSS or

header injection vulnerability to set these values within the user’s

Application 

3. User logs in using the token  

received from the attacker 

2. Attacker feeds the session token to the user 

4. Attacker hijac

ks user’

s ses

sion  

usi

ng the same token as the user 

1. Attacker requests /login.php 

and is issued a s

ession token

User 

Attacker 

Download 5,76 Mb.

Do'stlaringiz bilan baham: