Session Management / Session Fixation
Session Fixation (CWE-384) is a web security vulnerability that occurs when an attacker forces a user's web browser to authenticate to a web site using a fixed session ID. This type of attack is particularly dangerous as it allows an attacker to hijack a user's authenticated session and gain access to confidential information. The attack can be performed on both Web and API applications.
Session Fixation is a high-severity vulnerability that can result in the unauthorized access of confidential information and data, as well as the ability to perform malicious actions. The risk assessment of this vulnerability is high and the consequences can be severe.
The best way to protect against Session Fixation is to ensure that each user is issued a new session identifier (ID) when they authenticate to the application. This can be done by using secure tokens, random numbers, or a combination of both. This ensures that the session ID cannot be guessed or predicted, which prevents an attacker from hijacking the user's session. Additionally, applications should always validate the session identifier each time a user makes a request.
An example of Session Fixation can be found in CVE-2018-19046. For this vulnerability, an attacker could manipulate the
session_id parameter in a POST request to gain access to a user's authenticated session.
The vulnerable code can be seen below:
session_id = params[:session_id] if session_id session[:user_id] = session_id end