Session fixation is a vulnerability that relies on re-use of a session ID. First, the attacker must be able to force the victim to use a specific session ID by setting a cookie on their client or by already knowing the value of the victim's session ID. Then, when the victim authenticates, the cookies remain the same on the client. Therefore, the attacker knows the session ID and now has access to the victim's session.
This recipe will require some initial reconnaissance performed against the target site to identify how it's performs authentication, for example through data in the POST requests or through basic auth. It will also require a valid user account to authenticate with.
This recipe will be testing for session fixation through a cookie injection:
import requests
url = 'http://www.packtpub.com/'
req = requests.get(url)
if req.cookies:
print 'Initial cookie state:', req.cookies
cookie_req = requests.post(url, cookies=req.cookies, auth=('user1', 'supersecretpasswordhere'))
print 'Authenticated cookie state:', cookie_req.cookies
if req.cookies == cookie_req.cookies:
print 'Session fixation vulnerability identified'This script has two stages; the first step is sending an initial get request to the target website and then displaying the cookies received:
req = requests.get(url) print 'Initial cookie state:', req.cookies
The second stage of the script sends another request to the target site, this time authenticating with valid user credentials:
cookie_req = requests.post(url, cookies=req.cookies, auth=('user1', 'supersecretpasswordhere'))Notice here that we set the request cookies to the cookies that we received in the initial GET request earlier.
The script ends by printing out the final cookie state and printing a warning if the authenticated cookies match the cookies that were sent in the initial request:
print 'Authenticated cookie state:', cookie_req.cookies if req.cookies == cookie_req.cookies: print 'Session fixation vulnerability identified'
Cookies are another data source that is user-controlled and parsed by the web server. Similar to headers, this makes it a great place to test for XSS vulnerabilities. Try adding XSS payloads to cookie data and sending it to the target server to see how it handles the data. Remember that cookies may be read in from the web server backend or may be printed out to the logs, and therefore XSS might be possible against the log reader (if, for example, it's later read by an admin).