BETA Shoulder está en beta — Los hallazgos a veces pueden ser incorrectos. Tu feedback da forma a lo que arreglamos a continuación. Compartir comentarios
Shoulder.dev

Inteligencia de Amenazas para Desarrolladores
📌

Session Fixation

🛡️ 3 reglas detectan esto

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

Prevalencia
Media
3 lenguajes cubiertos
Impacto
Alto
3 reglas de severidad alta
Prevención
Documentada
3 ejemplos de corrección
2 Prevención
2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para Session Fixation basadas en 3 reglas de detección de Shoulder.

🟨 JavaScript Ver todo JavaScript detalles →
Express Insecure Session Configuration HIGH

Configure sessions with environment-based secrets and secure cookie flags

+9 -3 javascript 
  app.use(session({
-   secret: 'keyboard cat',
-   resave: true,
-   saveUninitialized: true
+   secret: process.env.SESSION_SECRET,
+   cookie: {
+     secure: process.env.NODE_ENV === 'production',
+     httpOnly: true,
+     sameSite: 'strict',
+     maxAge: 1000 * 60 * 60 * 24
+   },
+   resave: false,
+   saveUninitialized: false
  }));
🐹 Go Ver todo Go detalles →
Insecure Session Management HIGH

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

+10 -4 go 
  func createSession(w http.ResponseWriter, r *http.Request) {
-     sessionID := fmt.Sprintf("%d", time.Now().Unix())
-     http.SetCookie(w, &http.Cookie{
-         Name:  "session_id",
-         Value: sessionID,
+     b := make([]byte, 32)
+     rand.Read(b)
+     sessionID := base64.URLEncoding.EncodeToString(b)
+     http.SetCookie(w, &http.Cookie{
+         Name:     "session_id",
+         Value:    sessionID,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+         MaxAge:   3600,
      })
  }
🐍 Python Ver todo Python detalles →
Session Fixation Vulnerability HIGH

Regenerate the session ID immediately after successful authentication

+10 -4 python 
  from flask import session, request
  from flask_login import login_user
  
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
+ def regenerate_session():
+     data = dict(session)
+     session.clear()
+     session.update(data)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     user = User.query.filter_by(username=request.form['username']).first()
+     if user and check_password(user.password, request.form['password']):
+         regenerate_session()
          login_user(user)
          return redirect('/dashboard')

Prácticas clave

  • Use predictable values or cookies lack Secure/HttpOnly flags
  • Use a session ID that the attacker already knows
4 Señales de Alerta
4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Session Fixation. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠
Session configuration has security vulnerabilities express-insecure-session
🟠
insecure session configuration including weak secrets, insecure cookies, and missing security flags express-insecure-session
🟠
Session management has security weaknesses go-insecure-session-management
🟠
missing session regeneration after authentication, which enables session fixation attacks python-session-fixation
🔍

Escanea tu base de código para Session Fixation

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas