Web Hacking Practice: Session Fixation Attack
Login Screen
Login Attempt Request
Login Complete
The above website issues a session before login and verifies the ID and password received during the login attempt request.
In other words, the website follows this flow: Issuing a session ID (unauthenticated) → Login authentication → Using the authenticated session ID. Therefore, it is possible to bypass the login process.
Fake Login Attempt
By using Burp Suite's Repeater, the ID is changed to "admin" in the request and sent. Naturally, the response will be "fail," but since the user ID on the server-side has already been changed during the authentication process, and the session ID is already authenticated, resending the request from the "Login Complete" state will result in being logged in and the ID will be changed.