BETA Shoulder ist in der Beta — Befunde können manchmal falsch sein. Dein Feedback bestimmt, was wir als Nächstes beheben. Feedback teilen
Shoulder.dev

Bedrohungsintelligenz für Entwickler
📌

Session Fixation

🛡️ 3 Regeln erkennen dies

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

Verbreitung
Mittel
3 Sprachen abgedeckt
Auswirkung
Hoch
3 Regeln mit hohem Schweregrad
Prävention
Dokumentiert
3 Fix-Beispiele
2 Prävention
2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Session Fixation basierend auf 3 Shoulder-Erkennungsregeln.

🟨 JavaScript Alle anzeigen JavaScript Details →
Express Insecure Session Configuration HIGH

Configure sessions with environment-based secrets and secure cookie flags

+9 -3 javascript 
  app.use(session({
-   secret: 'keyboard cat',
-   resave: true,
-   saveUninitialized: true
+   secret: process.env.SESSION_SECRET,
+   cookie: {
+     secure: process.env.NODE_ENV === 'production',
+     httpOnly: true,
+     sameSite: 'strict',
+     maxAge: 1000 * 60 * 60 * 24
+   },
+   resave: false,
+   saveUninitialized: false
  }));
🐹 Go Alle anzeigen Go Details →
Insecure Session Management HIGH

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

+10 -4 go 
  func createSession(w http.ResponseWriter, r *http.Request) {
-     sessionID := fmt.Sprintf("%d", time.Now().Unix())
-     http.SetCookie(w, &http.Cookie{
-         Name:  "session_id",
-         Value: sessionID,
+     b := make([]byte, 32)
+     rand.Read(b)
+     sessionID := base64.URLEncoding.EncodeToString(b)
+     http.SetCookie(w, &http.Cookie{
+         Name:     "session_id",
+         Value:    sessionID,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+         MaxAge:   3600,
      })
  }
🐍 Python Alle anzeigen Python Details →
Session Fixation Vulnerability HIGH

Regenerate the session ID immediately after successful authentication

+10 -4 python 
  from flask import session, request
  from flask_login import login_user
  
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
+ def regenerate_session():
+     data = dict(session)
+     session.clear()
+     session.update(data)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     user = User.query.filter_by(username=request.form['username']).first()
+     if user and check_password(user.password, request.form['password']):
+         regenerate_session()
          login_user(user)
          return redirect('/dashboard')

Wichtige Praktiken

  • Use predictable values or cookies lack Secure/HttpOnly flags
  • Use a session ID that the attacker already knows
4 Warnzeichen
4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Session Fixation-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠
Session configuration has security vulnerabilities express-insecure-session
🟠
insecure session configuration including weak secrets, insecure cookies, and missing security flags express-insecure-session
🟠
Session management has security weaknesses go-insecure-session-management
🟠
missing session regeneration after authentication, which enables session fixation attacks python-session-fixation
🔍

Scanne deine Codebasis nach Session Fixation

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen