Penetration Testing mailing list archives
Re: Exploiting Session Fixation on ASP
From: Rogan Dawes <lists () dawes za net>
Date: Thu, 05 Feb 2009 21:26:35 +0200
pentest pentest wrote:
Hi guys, Just a quick question. I've found a few places (e.g. http://www.owasp.org/index.php/Session_Fixation_Protection) where it's mentioned that ASP applications are vulnerable by default to Session Fixation. However, how do you exploit this vulnerability in real life? On PHP you just use something like http://site.com/?PHPSESSID=something But on ASP, you cannot do something like http://site.com/?ASPSESSIONID=something because it will not work. So, how do you exploit Session Fixation in real life? Thanks in advance and have a nice day,
There are a number of different "flavours" of session fixation. One is the ability to specify any session ID you like, and have it be used by the framework, kind of an "auto-vivification", if you like. One is the failure to change the session ids when changing privilege levels. For example, I go to an internet cafe, load a banking site, note the session id issued. Offer the machine to my victim, and wait for them to authenticate to the server. Go to another PC, and use that known session id to hijack their session. Most frameworks support session invalidation (including ASP). When authenticating, and when logging out, any existing session should be invalidated, and a new one created. However, in ASP, when invalidating the session, only the server side session is invalidated. No new ASPSESSIONID is issued to the client, rather the old cookie is just associated with a new (empty) session. This means that even if the server DOES follow the advice, and invalidate the session, that ASPSESSIONID noted in the above example is STILL valid, and can still be used to hijack that user's session. Hope this helps. If not, you should read the original paper at acros.si, IIRC. Google is your friend. :-) Rogan
Current thread:
- Exploiting Session Fixation on ASP pentest pentest (Feb 05)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
- Re: Exploiting Session Fixation on ASP arvind doraiswamy (Feb 10)
- RE: Exploiting Session Fixation on ASP Rui Pereira (WCG) (Feb 11)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)