etshi
commented
1 year ago Sorry pushed this by misake
Closed etshi closed 1 year ago
etshi
commented
1 year ago Sorry pushed this by misake
ThiefMaster
commented
1 year ago You can just forcepush to remove/change commits, no need to do a new PR.
As an output of the Pentest 2023, we had the following vulnerability:
Vulnerability type description: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it. The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim’s browser, so the attack starts before the user logs in.
Contextual elements: We were able to control the value of the session cookie. It could lead to session fixation-based attacks. However, because the process requires a valid CSRF token, and a POST request, we couldn’t exploit the vulnerability. For the session fixation, we first need to get a valid CSRF token. There, we can choose the value of the session cookie associated with the CSRF token.
This PR tackles the following: