[OWASP-TESTING] ENC: Security Paper: Session Fixation Vulnerability in Web-basedApplications

Mads Rasmussen mads at opencs.com.br
Thu Dec 19 06:29:09 EST 2002

I thought that this might be interesting literature :)


Mads Rasmussen
Open Communications Security

-----Mensagem original-----
De: Mitja Kolsek (ACROS Lists) [mailto:lists at acros.si] 
Enviada em: quarta-feira, 18 de dezembro de 2002 11:01
Para: secpapers at securityfocus.com
Assunto: Security Paper: Session Fixation Vulnerability in

ACROS Security is pleased to announce the publication of a security
about a new class of attacks on web-based applications that we named
"session fixation" attacks. The paper is available at

	[ http://www.acros.si/papers/session_fixation.pdf ]

and could be useful to all web applications developers and security
analysts. We will appreciate any feedback you might provide to
<security at acros.si>.


Many web-based applications employ some kind of session management to
a user-friendly environment. Sessions are stored on server and
with respective users by session identifiers (IDs). Naturally, session
present an attractive target for attackers, who, by obtaining them,
effectively hijack users' identities. Knowing that, web servers are
employing techniques for protecting session IDs from three classes of
attacks: interception, prediction and brute-force attacks. This paper
reveals a fourth class of attacks against session IDs: session fixation
attacks. In a session fixation attack, the attacker fixes the user's
ID before the user even logs into the target server, thereby eliminating
need to obtain the user's session ID afterwards. There are many ways for
attacker to perform a session fixation attack, depending on the session
transport mechanism (URL arguments, hidden form fields, cookies) and the
vulnerabilities available in the target system or its immediate
The paper provides detailed information about exploiting vulnerable
as well as recommendations for protecting them against session fixation

ACROS Security wishes you a secure and prosperous future.

ACROS Security [ http://www.acros.si ]
"Our business is finding holes in your security ...
... and patching them, while we're at it."

More information about the Owasp-testing mailing list