🚨 Session Fixation Vulnerability

Current Session Info:

Session ID: Not set

What is Session Fixation?

Session fixation is when an attacker sets a victim's session ID to a known value, then hijacks the session after the victim logs in.

Attacker provides session ID to victim
Victim logs in using that session ID
Application doesn't regenerate session on login
Attacker uses the known session ID to access victim's account

Demonstrate Session Fixation:

1. Fix Session ID (Attacker Step):

2. Simulate Login (Victim Step):

3. Reset for New Test:

Attack Scenarios:

URL-based Session Fixation:

https://vulnerable-site.com/login?JSESSIONID=ATTACKER_SESSION_123

Cookie-based Session Fixation:

document.cookie = "JSESSIONID=ATTACKER_SESSION_123; path=/";

Form-based Session Fixation:

<form action="https://vulnerable-site.com/login">
<input type="hidden" name="sessionId" value="ATTACKER_SESSION_123">
<input type="submit" value="Login">
</form>

How to fix:

Always regenerate session ID after successful login
Never accept session IDs from URL parameters
Use secure session configuration (HttpOnly, Secure, SameSite)
Implement proper session timeout
Validate session IDs server-side