Session Fixation is an attack technique that forces a user’s session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to “fix” the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user’s session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Technical Specifications
- Technical specifications
- WASC TC v2.0 Classes Coverage
- WASC TC v1.0 Classes Coverage
- OWASP Top Ten 2013 Coverage
- OWASP Top Ten 2010 Coverage
- OWASP Top Ten 2007 Coverage
- OWASP Top Ten 2004 Coverage
- 2011 CWE/SANS Top 25 Coverage
- 2010 CWE/SANS Top 25 Coverage
- 2009 CWE/SANS Top 25 Coverage
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST Special Publication 800-53
- Sarbanes-Oxley Act (SOX)
- DISA Security Technical Implementation Guide (STIG)
- ISO/IEC 27001:2005 Coverage
- ISO/IEC 27001:2013 Coverage