You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have identified a session fixation vulnerability, below is the steps to reproduce:
Step 1: Browse the application https://demo.mailpile.is/C/auth/login/ in any browser and intercept the request over proxy.
Step 2: Now observe the cookie "Cookie: 8MQqWfxkHjuN=YP9UgMJ7cCpfkxdL3fZkoEKBIIUFPjMq"
Step 3: Now login into the application and again intercept the request of an authenticated page.
Step 4: Now again observe the cookie "Cookie: 8MQqWfxkHjuN=YP9UgMJ7cCpfkxdL3fZkoEKBIIUFPjMq"
Step 5: The session cookie is same prior and post authentication which makes the application vulnerable to session fixation.
I have identified a session fixation vulnerability, below is the steps to reproduce:
Step 1: Browse the application https://demo.mailpile.is/C/auth/login/ in any browser and intercept the request over proxy.
Step 2: Now observe the cookie "Cookie: 8MQqWfxkHjuN=YP9UgMJ7cCpfkxdL3fZkoEKBIIUFPjMq"
Step 3: Now login into the application and again intercept the request of an authenticated page.
Step 4: Now again observe the cookie "Cookie: 8MQqWfxkHjuN=YP9UgMJ7cCpfkxdL3fZkoEKBIIUFPjMq"
Step 5: The session cookie is same prior and post authentication which makes the application vulnerable to session fixation.
Reference Link:
https://owasp.org/www-community/attacks/Session_fixation
Mitigation/Patch
If you assign a new session when someone logs in, this flaw should be fixed.
The text was updated successfully, but these errors were encountered: