Re: Exploiting Session Fixation on ASP

[Rogan Dawes <lists () dawes za net>]

pentest pentest wrote:
> Hi guys,
>
> Just a quick question. I've found a few places (e.g.
> http://www.owasp.org/index.php/Session_Fixation_Protection) where it's
> mentioned that ASP applications are vulnerable by default to Session
> Fixation. However, how do you exploit this vulnerability in real life?
>
> On PHP you just use something like http://site.com/?PHPSESSID=something
>
> But on ASP, you cannot do something like
> http://site.com/?ASPSESSIONID=something because it will not work.
> So, how do you exploit Session Fixation in real life?
>
> Thanks in advance and have a nice day,

There are a number of different "flavours" of session fixation.

One is the ability to specify any session ID you like, and have it be
used by the framework, kind of an "auto-vivification", if you like.

One is the failure to change the session ids when changing privilege
levels. For example, I go to an internet cafe, load a banking site, note
the session id issued. Offer the machine to my victim, and wait for them
to authenticate to the server. Go to another PC, and use that known
session id to hijack their session.

Most frameworks support session invalidation (including ASP). When
authenticating, and when logging out, any existing session should be
invalidated, and a new one created.

However, in ASP, when invalidating the session, only the server side
session is invalidated. No new ASPSESSIONID is issued to the client,
rather the old cookie is just associated with a new (empty) session.
This means that even if the server DOES follow the advice, and
invalidate the session, that ASPSESSIONID noted in the above example is
STILL valid, and can still be used to hijack that user's session.

Hope this helps. If not, you should read the original paper at acros.si,
IIRC. Google is your friend. :-)

Rogan