Session Fixation (CWE-384) - Security Vulnerability

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

व्यापकता

मध्यम

3 भाषाएँ कवर की गईं

प्रभाव

उच्च

3 उच्च गंभीरता वाले नियम

रोकथाम

प्रलेखित

3 फिक्स उदाहरण

2 रोकथाम

इस भेद्यता को कैसे ठीक करें

3 Shoulder डिटेक्शन नियमों पर आधारित Session Fixation के लिए रोकथाम रणनीतियाँ।

🟨 JavaScript सब देखें JavaScript विवरण →

Express Insecure Session Configuration HIGH

Configure sessions with environment-based secrets and secure cookie flags

+9 -3 javascript

  app.use(session({
-   secret: 'keyboard cat',
-   resave: true,
-   saveUninitialized: true
+   secret: process.env.SESSION_SECRET,
+   cookie: {
+     secure: process.env.NODE_ENV === 'production',
+     httpOnly: true,
+     sameSite: 'strict',
+     maxAge: 1000 * 60 * 60 * 24
+   },
+   resave: false,
+   saveUninitialized: false
  }));

🐹 Go सब देखें Go विवरण →

Insecure Session Management HIGH

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

+10 -4 go

  func createSession(w http.ResponseWriter, r *http.Request) {
-     sessionID := fmt.Sprintf("%d", time.Now().Unix())
-     http.SetCookie(w, &http.Cookie{
-         Name:  "session_id",
-         Value: sessionID,
+     b := make([]byte, 32)
+     rand.Read(b)
+     sessionID := base64.URLEncoding.EncodeToString(b)
+     http.SetCookie(w, &http.Cookie{
+         Name:     "session_id",
+         Value:    sessionID,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+         MaxAge:   3600,
      })
  }

🐍 Python सब देखें Python विवरण →

Session Fixation Vulnerability HIGH

Regenerate the session ID immediately after successful authentication

+10 -4 python

  from flask import session, request
  from flask_login import login_user
  
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
+ def regenerate_session():
+     data = dict(session)
+     session.clear()
+     session.update(data)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     user = User.query.filter_by(username=request.form['username']).first()
+     if user and check_password(user.password, request.form['password']):
+         regenerate_session()
          login_user(user)
          return redirect('/dashboard')

मुख्य अभ्यास

Use predictable values or cookies lack Secure/HttpOnly flags
Use a session ID that the attacker already knows

3 पहचान

अपने कोड में भेद्यताएँ खोजें

Session Fixation पैटर्न के लिए अपने कोडबेस को स्कैन करने के लिए Shoulder का उपयोग करें। 3 नियम.

टर्मिनल

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=384

# Or scan entire project
npx @shoulderdev/cli trust .

पहचान नियम (3)

🟨 Javascript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🔷 Typescript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🐹 Go 1 rules

Insecure Session Management HIGH

Session IDs use predictable values or cookies lack Secure/HttpOnly flags.

🐍 Python 1 rules

Session Fixation Vulnerability HIGH

Detects missing session regeneration after authentication, which enables session fixation attacks. Session fixation is a serious authentication vulnerability where an attacker forces a victim to use a session ID that the attacker already knows. The attack works like this: 1. Attacker obtains a valid session ID (e.g., by visiting the login page) 2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.) 3. Victim logs in, and the pre-known session ID be

4 चेतावनी संकेत

कोड समीक्षा में किन बातों पर ध्यान दें

ये पैटर्न संभावित Session Fixation भेद्यताओं का संकेत देते हैं। कोड समीक्षा और सुरक्षा ऑडिट के दौरान इन्हें देखें।

🟠

Session configuration has security vulnerabilities express-insecure-session

🟠

insecure session configuration including weak secrets, insecure cookies, and missing security flags express-insecure-session

🟠

Session management has security weaknesses go-insecure-session-management

🟠

missing session regeneration after authentication, which enables session fixation attacks python-session-fixation

🔍

अपने कोडबेस को इसके लिए स्कैन करें: Session Fixation

Shoulder CLI आपके पूरे कोडबेस में भेद्य पैटर्न खोजता है।

npx shoulder trust सभी नियम देखें