We covered and explained Session Fixation Attack using OWASP WebGoat free lab.

What is a Session Fixation Attack?

A session fixation attack is a type of attack where an attacker steals a user’s session ID while they are logged into a website. Websites commonly use session IDs for authentication to prevent users from having to log in repeatedly when navigating different pages (think of how you stay logged into Facebook). In a vulnerable web server, an attacker can trick a victim into accessing a link that includes a pre-determined session ID. The victim then authenticates using this attacker-chosen session ID.

The Attack Scenario Explained

Here’s how the attack typically unfolds:

  1. The Setup: I imagined an attacker wanting to gain access to a victim’s (let’s call her Jane) account on a website, perhaps “OS Torque” or “Go Hills Financial.” The attacker’s first step is to craft a malicious URL that includes a specific session ID they have chosen, for example, sID=1000.
  2. The Lure (Social Engineering): The attacker then sends an email to Jane, pretending to be an administrator. This email contains a warning (like “incorrect account details”) and a deceptive link for Jane to click to “verify” her account. This link is, in fact, the malicious URL with the fixed session ID.
  3. Victim Action: Jane, believing the email is legitimate, clicks the link. Clicking this link forces her browser to use the session ID embedded in the URL by the attacker. She’s then prompted to log in to the website. Crucially, when she logs in, her legitimate session becomes associated with the attacker’s chosen session ID.
  4. Attacker Gains Access: Now that Jane is logged in using the session ID the attacker provided, the attacker can simply visit the same website or use the same crafted URL. Because the session ID is now active and associated with Jane’s authenticated session, the attacker gains full access to Jane’s account without needing her password.

Demonstration in WebGoat walkthrough

The video walked through this exact scenario:

  • The attacker “sends an email” (this was simulated within WebGoat).
  • The victim (played by the demonstrator) receives the email and clicks the malicious link.
  • The victim logs in with their actual credentials (e.g., username “Jane” and her password).
  • Finally, the attacker revisits the link (or any link with the same session ID) and is immediately logged into Jane’s account, demonstrating the successful session hijack.

How to Prevent Session Fixation Attacks

To prevent these types of attacks, web servers should:

  • Generate session IDs randomly and consistently. This makes it incredibly difficult for an attacker to predict or pre-determine a valid session ID.
  • Validate session IDs. If someone tries to use a session ID in a URL that doesn’t match an active, legitimate session, the server should reject it. Furthermore, a new session ID should be issued upon successful authentication, invalidating any pre-existing, potentially fixed session IDs.

In essence, the attack works by tricking the user into authenticating with a session ID that the attacker has already “fixed,” allowing the attacker to then hijack that authenticated session.

Video Walkthrough

, , , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles