Medium OWASP Session Management Testing Session Fixation is an attack that permits an attacker to hijack a valid user session. The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. "1. We visited the URL and observed its session value then after login we again observed the sessionvalue and then after log out we did the same.
We then concluded that throughout the process the session value remains the same." Proof of Concepts is attached along with this Tracker. Check the session behaviour and change session on login/logout
Medium OWASP Session Management Testing Session Fixation is an attack that permits an attacker to hijack a valid user session. The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. "1. We visited the URL and observed its session value then after login we again observed the sessionvalue and then after log out we did the same.
Estimate 2