Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/qeeqbox/session-fixation
A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account
https://github.com/qeeqbox/session-fixation
example fixation infosecsimplified metadata qeeqbox session visualization vulnerability
Last synced: 2 days ago
JSON representation
A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account
- Host: GitHub
- URL: https://github.com/qeeqbox/session-fixation
- Owner: qeeqbox
- License: agpl-3.0
- Created: 2022-04-21T05:11:16.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-01-29T01:00:35.000Z (10 months ago)
- Last Synced: 2024-05-01T11:27:24.917Z (7 months ago)
- Topics: example, fixation, infosecsimplified, metadata, qeeqbox, session, visualization, vulnerability
- Homepage:
- Size: 244 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account.
## Example #1
1. Threat actor visits the vulnerable website without logging in and obtains a session identifier
2. Threat actor tricks a victim into logging into the vulnerable website using the session identifier
3. Threat actor uses the same session identifier to gain unauthorized access to the victim's account
## Impact
Vary
## Risk
- Gain unauthorized access
## Redemption
- Identity confirmation
- Regenerate session ids at authentication
- Timeout and replace old session ids
- Store ids in HTTP cookies
## ID
ecd7744c-83b0-406c-a58d-63d057a5570b
## References
- [wiki](https://en.wikipedia.org/wiki/session_fixation)