CWE-384: Session Fixation
Learn about CWE-384 (Session Fixation), its security impact, exploitation methods, and prevention guidelines.
What is Session Fixation?
• Overview: Session Fixation is a vulnerability where a web application allows a user to authenticate using a session identifier that has not been invalidated, enabling an attacker to hijack an authenticated session.
• Exploitation Methods:
- Attackers can fix a session ID by creating a session and tricking the victim into logging in with that session identifier.
- Common attack patterns include embedding session IDs in URLs or hidden fields and using phishing techniques to get users to use these IDs.
• Security Impact:
- Direct consequences include unauthorized access to a user's session and data.
- Potential cascading effects include data theft, unauthorized transactions, and privilege escalation.
- Business impact includes loss of customer trust, financial loss, and damage to brand reputation.
• Prevention Guidelines:
- Specific code-level fixes include regenerating a new session ID upon successful login and invalidating the old session.
- Security best practices involve using secure cookies, implementing proper session management, and ensuring session IDs are not exposed in URLs.
- Recommended tools and frameworks include using frameworks that handle session management securely, such as those that automatically regenerate session IDs on authentication.
Corgea can automatically detect and fix Session Fixation in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
secret: 'supersecretkey',
resave: false,
saveUninitialized: true // Dangerous: allows sessions to be created without authentication
}));
app.post('/login', (req, res) => {
const { username, password } = req.body;
// Vulnerable to session fixation!
// The session ID is not regenerated after login, allowing attackers to hijack sessions
if (authenticate(username, password)) {
req.session.username = username;
res.redirect('/dashboard');
} else {
res.status(401).send('Invalid credentials');
}
});
function authenticate(username, password) {
return username === "admin" && password === "password";
}
app.listen(3000, () => console.log('App running on port 3000'));
How to fix Session Fixation?
In Express.js, to mitigate session fixation, it's crucial to regenerate the session ID after the user logs in successfully. This prevents attackers from setting a session ID before the user logs in and then using it after the user authenticates.
Fixed Code Example
const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
secret: 'supersecretkey',
resave: false,
saveUninitialized: false // Secure: prevents uninitialized sessions, reducing fixation risk
}));
app.post('/login', (req, res) => {
const { username, password } = req.body;
if (authenticate(username, password)) {
req.session.regenerate((err) => { // Secure: regenerates session ID after login
if (err) {
return res.status(500).send('Internal server error');
}
req.session.username = username;
res.redirect('/dashboard');
});
} else {
res.status(401).send('Invalid credentials');
}
});
function authenticate(username, password) {
return username === "admin" && password === "password";
}
app.listen(3000, () => console.log('App running on port 3000'));
In these examples, the key security enhancement is the regeneration of the session ID upon successful authentication. This practice ensures that any session ID potentially set by an attacker before login is invalidated, thereby mitigating session fixation vulnerabilities effectively.