Penetration Testing mailing list archives

Exploiting Session Fixation on ASP

From: pentest pentest <pentest108 () gmail com>
Date: Thu, 5 Feb 2009 12:58:04 +0200

Hi guys,

Just a quick question. I've found a few places (e.g.
http://www.owasp.org/index.php/Session_Fixation_Protection) where it's
mentioned that ASP applications are vulnerable by default to Session
Fixation. However, how do you exploit this vulnerability in real life?

On PHP you just use something like http://site.com/?PHPSESSID=something

But on ASP, you cannot do something like
http://site.com/?ASPSESSIONID=something because it will not work.
So, how do you exploit Session Fixation in real life?

Thanks in advance and have a nice day,

Current thread:

Exploiting Session Fixation on ASP pentest pentest (Feb 05)
- Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
  - Re: Exploiting Session Fixation on ASP pentest pentest (Feb 10)
    - Re: Exploiting Session Fixation on ASP Rogan Dawes (Feb 10)
- Re: Exploiting Session Fixation on ASP arvind doraiswamy (Feb 10)
  - RE: Exploiting Session Fixation on ASP Rui Pereira (WCG) (Feb 11)