CWE-384 会话固定

admin 2022年1月5日20:58:44CWE(弱点枚举)评论11 views4344字阅读14分28秒阅读模式

CWE-384 会话固定

Session Fixation

结构: Composite

Abstraction: Compound

状态: Incomplete

被利用可能性: unkown


Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.


Such a scenario is commonly observed when:


  • cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 699

  • cwe_Nature: Requires cwe_CWE_ID: 346 cwe_View_ID: 1000

  • cwe_Nature: Requires cwe_CWE_ID: 472 cwe_View_ID: 1000

  • cwe_Nature: Requires cwe_CWE_ID: 441 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Access Control Gain Privileges or Assume Identity


Architecture and Design


Invalidate any existing session identifiers prior to authorizing a new user session.

Architecture and Design


For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.


The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().

bad Java

private void auth(LoginContext lc, HttpSession session) throws LoginException {



In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session. Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal.

In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above. The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker.

In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker. It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as and, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain [29].

The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the j_security_check, which typically does not invalidate the existing session before processing the login request.

bad HTML



映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Session Fixation
OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management
WASC 37 Session Fixation


  • CAPEC-196
  • CAPEC-21
  • CAPEC-31
  • CAPEC-39
  • CAPEC-59
  • CAPEC-60
  • CAPEC-61


特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2022年1月5日20:58:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-384 会话固定


匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: