Chapter 7  ■ Attacking Session Management

Various other attacks against users can be used to hijack the user’s ses-

sion in different ways. These include session fixation vulnerabilities,

where an attacker feeds a known session token to a user, waits for them

to log in, and then hijacks their session; as well as cross-site request

forgery attacks, in which an attacker makes a crafted request to an

application from a web site that he controls, and exploits the fact that

the user’s browser automatically submits her current cookie with this

request. These attacks are also described in Chapter 12.

HACK STEPS

■