The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

How does a Session Fixation attack work?

It typically unfolds over 3 phases. It begins with: [Setup the Attack] Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.

How do you prevent CAPEC-61?

Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.

What weaknesses does CAPEC-61 target?

CAPEC-61 exploits 3 CWE weaknesses, including CWE-384 (Session Fixation), CWE-664 (Improper Control of a Resource Through its Lifetime), CWE-732 (Incorrect Permission Assignment for Critical Resource).

How severe is CAPEC-61?

MITRE rates CAPEC-61 as High severity with medium likelihood of attack.

CAPEC-61: Session Fixation

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Setup the Attack] Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.
- The attacker chooses a predefined identifier that they know.
- The attacker creates a trap session for the victim.
Step 2
Experiment
[Attract a Victim] Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.
- Attackers can put links on web sites (such as forums, blogs, or comment forms).
- Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
- Attackers can email attack URLs to potential victims through spam and phishing techniques.
Step 3
Exploit
[Abuse the Victim's Session] Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.
- The attacker loads the predefined session ID into their browser and browses to protected data or functionality.
- The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim.

How the attack works

CAPEC-61: Session Fixation

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-61?

How does a Session Fixation attack work?

How do you prevent CAPEC-61?

What weaknesses does CAPEC-61 target?

How severe is CAPEC-61?

References

Defend against CAPEC-61

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-61?

How does a Session Fixation attack work?

How do you prevent CAPEC-61?

What weaknesses does CAPEC-61 target?

How severe is CAPEC-61?

References

Defend against CAPEC-61