Sessions :: Fixation

Sessions :: Fixation

Sessions :: Fixation

Fix or seed (prefetch) the Session id prior to target visiting site
Session IDs
- Strict - Only allows pre-assigned/server dictated session IDs
- Permissive - Arbitrary session IDs - PHP :(
Phising - Link or Redirect
1. Can you believe what <a href=
2. "http://somebank.com/?PHPSESSID=12345">http://somebank.com/</a>
3. did, charging every transaction...
XSS inject cookie via
1. document.cookie='PHPSESSID=1234'