Quartz 4

Session Fixation

2 min read

🧠 Session Fixation

What is it?

  • Concept: Instead of stealing a victim’s existing session, the attacker forces (injects) their own known session ID into the victim’s browser.
  • Impact: Authentication Bypass, Privilege Escalation.

How it works

  1. Acquisition: The attacker obtains a valid Session ID from the server
  2. Fixation: The attacker forces the victim’s browser to use that specific Session ID (e.g., via a malicious link or injected response header).
  3. Authentication: The attacker waits for the victim to log into the application using the forced session.
  4. Hijack: The attacker then uses the same Session ID to hijack the newly authenticated session

Exploitation

Prerequisites:

  • The attacker must have a mechanism to inject their cookie into the victim’s browser
  • The target application fails to regenerate the session ID upon authentication or a change in privilege.

Attack Vectors

A common delivery mechanism involves leveraging a CRLF Injection (Carriage Return \r or %0D and Line Feed \n or %0A) within a vulnerable redirect (such as an unpatched Nginx proxy) to inject a forged Set-Cookie HTTP response header.

Example (Nginx Configuration):

server{
	listen 1337;
	
	# Redirection. Does not sanitize/validate id
	location ~ ^/invite/(?<id>[^?]*)$ {
		return "/?ref=$id";
	}
}

Example Exploit:

# General CRLF payload structure forcing a known session ID 
GET /redirect?url=...%0d%0aSet-Cookie: session=MY_EVIL_SESSION_ID 
 
# Specific vector routing to an invite endpoint while setting an attacker's cookie path 
GET /invite/hello%0D%0ASet-Cookie:%20<attacker_cookie>;%20Path=/api/profile

Mitigation

  • Session Regeneration: The ultimate fix is to destroy the old session ID and generate a new, cryptographically secure cookie upon a successful login or any change in roles/privileges.

  • Strict Input Validation: Enforce strict validation to patch delivery mechanisms like CRLF injection in reverse proxies or web servers.

  • Device Binding: Bind the session cookie to specific device identifiers, such as the IP address or User-Agent.

  • Cookie Prefixes: Use prefixes like __Secure or __Host to severely limit the ability to arbitrarily inject malicious cookies from subdomains or insecure contexts.

  • Verification: Always strictly verify the input cookie from incoming requests to ensure it matches the expected structure and origin.

TABLE creation_date AS "Created" 
FROM "05 - Content" 
WHERE contains(techniques, this.file.link) AND contains(tags, "đźš©") 
SORT file.name ASC

Graph View

Backlinks