Web Hacking Practice: Session Fixation Attack

·

1 min read

Login Screen

Login Attempt Request

Login Complete

The above website issues a session before login and verifies the ID and password received during the login attempt request.

In other words, the website follows this flow: Issuing a session ID (unauthenticated) → Login authentication → Using the authenticated session ID. Therefore, it is possible to bypass the login process.

Fake Login Attempt

By using Burp Suite's Repeater, the ID is changed to "admin" in the request and sent. Naturally, the response will be "fail," but since the user ID on the server-side has already been changed during the authentication process, and the session ID is already authenticated, resending the request from the "Login Complete" state will result in being logged in and the ID will be changed.