Session Fixation (CWE-384) - Security Vulnerability

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

Prévalence

Moyenne

3 langages couverts

Impact

Élevé

3 règles de sévérité élevée

Prévention

Documentée

3 exemples de correctifs

2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Session Fixation basées sur 3 règles de détection Shoulder.

🟨 JavaScript Tout voir JavaScript détails →

Express Insecure Session Configuration HIGH

Configure sessions with environment-based secrets and secure cookie flags

+9 -3 javascript

  app.use(session({
-   secret: 'keyboard cat',
-   resave: true,
-   saveUninitialized: true
+   secret: process.env.SESSION_SECRET,
+   cookie: {
+     secure: process.env.NODE_ENV === 'production',
+     httpOnly: true,
+     sameSite: 'strict',
+     maxAge: 1000 * 60 * 60 * 24
+   },
+   resave: false,
+   saveUninitialized: false
  }));

🐹 Go Tout voir Go détails →

Insecure Session Management HIGH

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

+10 -4 go

  func createSession(w http.ResponseWriter, r *http.Request) {
-     sessionID := fmt.Sprintf("%d", time.Now().Unix())
-     http.SetCookie(w, &http.Cookie{
-         Name:  "session_id",
-         Value: sessionID,
+     b := make([]byte, 32)
+     rand.Read(b)
+     sessionID := base64.URLEncoding.EncodeToString(b)
+     http.SetCookie(w, &http.Cookie{
+         Name:     "session_id",
+         Value:    sessionID,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+         MaxAge:   3600,
      })
  }

🐍 Python Tout voir Python détails →

Session Fixation Vulnerability HIGH

Regenerate the session ID immediately after successful authentication

+10 -4 python

  from flask import session, request
  from flask_login import login_user
  
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
+ def regenerate_session():
+     data = dict(session)
+     session.clear()
+     session.update(data)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     user = User.query.filter_by(username=request.form['username']).first()
+     if user and check_password(user.password, request.form['password']):
+         regenerate_session()
          login_user(user)
          return redirect('/dashboard')

Pratiques clés

Use predictable values or cookies lack Secure/HttpOnly flags
Use a session ID that the attacker already knows

3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Session Fixation. 3 règles.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=384

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (3)

🟨 Javascript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🔷 Typescript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🐹 Go 1 rules

Insecure Session Management HIGH

Session IDs use predictable values or cookies lack Secure/HttpOnly flags.

🐍 Python 1 rules

Session Fixation Vulnerability HIGH

Detects missing session regeneration after authentication, which enables session fixation attacks. Session fixation is a serious authentication vulnerability where an attacker forces a victim to use a session ID that the attacker already knows. The attack works like this: 1. Attacker obtains a valid session ID (e.g., by visiting the login page) 2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.) 3. Victim logs in, and the pre-known session ID be

4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Session Fixation. Recherchez-les lors des revues de code et des audits de sécurité.

🟠

Session configuration has security vulnerabilities express-insecure-session

🟠

insecure session configuration including weak secrets, insecure cookies, and missing security flags express-insecure-session

🟠

Session management has security weaknesses go-insecure-session-management

🟠

missing session regeneration after authentication, which enables session fixation attacks python-session-fixation

🔍

Scannez votre base de code pour Session Fixation

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles