Session ID not updated (AppScan scan results)

Recent job requirements address the vulnerability of the Web-based project, which is a appscan tool for scanning the vulnerability, in which this article is about the issue of session identity not being updated. Let's share this piece of stuff.

Original articles, reproduced please specify

------------------------------------------------------------------

Test Type:
Application-Level testing

Threat Classification:
Session setting

Reason:
WEB application Programming or configuration is not secure

Security risk:
Customer sessions and cookies may be stolen or manipulated, and they may be used to mimic legitimate users, allowing hackers to view or change user records as that user and perform transactions

Affected Products:
This issue may affect various types of products.

Reference:

"Session fixation vulnerability in web-based applications", Mitja Kolsek-acros Security
PHP Manual, Session handling Functions, Sessions and security technical description:

Technical Description:

When authenticating a user or otherwise establishing a new user session, if no existing session identity is invalidated, the attacker will have the opportunity to steal the authenticated session. This is usually observed in the following cases
The scene:
[1] The WEB application authenticates the user without first revoking the existing session, that is, continuing to use the session that has been associated with the user
[2] The attacker is able to enforce a known session identity to the user so that once the user authenticates, the attacker has access to the authenticated session
[3] The application or container uses a predictable session ID.
During a general exploration of a session-pinning vulnerability, an attacker creates a new session on the Web application and records the associated conversation identity. The attacker then causes the victim to use the session ID for the service
Can be authenticated so that an attacker can access the user's account through the active session. AppScan found that the session ID was not updated before and after the logon process, which means there are
Situations where a fake user may occur. A remote attacker who knows the session ID value beforehand can impersonate a legitimate user who is logged on.
Attack Flow:
A) The attacker uses the victim's browser to open the login form for the vulnerable site.
b) Once the form is opened, the attacker writes down the session ID value and waits.
c) When a victim logs on to a vulnerable site, its session ID is not updated.
D) The attacker could then use the session ID value to impersonate the victim and act as the user.
Session identity values can be obtained by leveraging cross-site scripting vulnerabilities that cause the victim's browser to use a predefined session ID when contacting a vulnerable site, or by initiating a "session-solid
(Will cause the site to provide a pre-defined session ID to the victim's browser) to obtain.

Session ID not updated (AppScan scan results)