Today, because of the project background, it is necessary to detect the Web interface for some security risks.
But has never mastered the knowledge of systematic permeability, had to do some exploration according to the personal understanding of the network protocol and the Web, finally found a session fixation attacks loophole.
Scene review:
Using the capture tool to monitor the login log out interface of the business, found that after the login Jsessionid is a, log out after the Jsessionid is still A;
However, since background development uses Apache's Shiro component, it will assign a new sessionid after each login;
So, based on the understanding of cookies, this place is very likely to be problematic.
The real content of the Cookie is always unchanged, which is equivalent to recording the user's account information completely.
Thus, when the user logs in, the intercepted header message is replayed by the capture tool-making any business request
There's going to be a fatal flaw.
The nature of the vulnerability is:
JSESSIONID 在登录前后不产生变化,使用了固定 cookie。
Principle Reference
Https://www.owasp.org/index.php/Session_fixation
Implementation can be referenced
50380997
Small note: Web security testing-fixed Session vulnerability