Objective
Learn how to exploit Session Fixation vulnerabilities to hijack user sessions and understand how to prevent such attacks by implementing secure session management practices.
Scenario
You are assessing a web application’s session management. The application assigns session IDs to users but fails to regenerate the session ID upon login. An attacker can exploit this flaw by forcing a victim to use a session ID controlled by the attacker. Your task is to exploit this vulnerability to hijack the victim’s session and learn how to mitigate it.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and web session management.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for Login Functionality
Create a file login.php:
<?php
session_start();
$users = ["admin" => "admin123", "user" => "user123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
$_SESSION['username'] = $username;
echo "<h2>Welcome, $username!</h2>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button>
</form>PHP Script to View Session Data
Create a file dashboard.php:
<?php
session_start();
if (isset($_SESSION['username'])) {
echo "<h2>Dashboard</h2>";
echo "<p>Welcome, " . $_SESSION['username'] . "!</p>";
} else {
echo "<h2>Access Denied!</h2>";
}
?>Running the Application
Start the Apache server.
Place login.php and dashboard.php in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/login.php in your browser.
Exploitation Steps
Step 1: Forcing a Fixed Session ID
Craft a malicious link with a predefined session ID:
http://localhost/login.php?PHPSESSID=attacker_session_idTrick the victim into clicking this link.
The victim logs in without the session ID being regenerated.
Step 2: Hijacking the Session
The attacker accesses the victim’s session using:
http://localhost/dashboard.php?PHPSESSID=attacker_session_idExpected Result:
The attacker gains access to the victim’s session and sees their dashboard.
Explanation
- The session ID was fixed before login, and since the application didn’t regenerate it, the attacker could hijack the session.
Solution and Prevention
Problem Analysis
- The session ID remains unchanged after login, allowing session fixation.
Fixing the Vulnerability
Regenerate Session ID After Login
Modify login.php to regenerate the session ID:
<?php
session_start();
$users = ["admin" => "admin123", "user" => "user123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
session_regenerate_id(true);
$_SESSION['username'] = $username;
echo "<h2>Welcome, $username!</h2>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>Set Secure Cookie Attributes
Configure session cookies to mitigate fixation:
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.use_only_cookies', 1);Limit Session Duration
Implement session timeout and inactivity expiration.
Avoid Passing Session IDs in URLs
Always use cookies for session management.
Testing After Fix
Attempt to use a crafted session ID in the URL:
http://localhost/login.php?PHPSESSID=attacker_session_idLog in and check if the session ID changes using browser developer tools.
Expected Result:
The session ID is regenerated, preventing the attacker from hijacking the session.
Conclusion
In this lab, you exploited a Session Fixation vulnerability by forcing a fixed session ID and hijacking the victim’s session. You also learned how to mitigate this risk by regenerating session IDs upon login, securing session cookies, and enforcing proper session management practices.
0 Comments