Sessions :: Fixation
Sessions :: Fixation
Fix or seed (prefetch) the Session id prior to target visiting site
Session IDs
Strict - Only allows pre-assigned/server dictated session IDs
Permissive - Arbitrary session IDs - PHP :(
Phising - Link or Redirect
Can you believe what <a href=
"http://somebank.com/?PHPSESSID=12345">http://somebank.com/</a>
did, charging every transaction...
XSS inject cookie via
document.cookie=
'PHPSESSID=1234'