Skip to content
/ session-fixation Public

A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account

License

AGPL-3.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

qeeqbox/session-fixation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
session-fixation.drawio
session-fixation.drawio
 
 
session-fixation.png
session-fixation.png
 
 

Repository files navigation

A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account.

Example #1

  1. Threat actor visits the vulnerable website without logging in and obtains a session identifier
  2. Threat actor tricks a victim into logging into the vulnerable website using the session identifier
  3. Threat actor uses the same session identifier to gain unauthorized access to the victim's account

Impact

Vary

Risk

  • Gain unauthorized access

Redemption

  • Identity confirmation
  • Regenerate session ids at authentication
  • Timeout and replace old session ids
  • Store ids in HTTP cookies

ID

ecd7744c-83b0-406c-a58d-63d057a5570b

References

About

A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account

Topics

visualization metadata example session vulnerability fixation qeeqbox infosecsimplified

Resources

Readme

License

AGPL-3.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors