From the course: Programming Foundations: Web Security
Join today to access over 24,900 courses taught by industry experts.
Session fixation
From the course: Programming Foundations: Web Security
Session fixation
- Session fixation is an attack where the attacker provides a user with a valid session identifier. It's similar to session hijacking, but reversed. Instead of stealing a user's session ID, the attacker gives the user a session ID, one which the attacker controls. In both cases, the result will be that the user and the attacker are using the same session identifier. The purpose of the attack is also the same. An attacker can assume the user's identity and share their access privileges. Of course, the session that the attacker provides will not be authenticated. It won't be attached to a logged-in user yet. The attacker has to wait patiently. When the user eventually logs into the website again, the application stores a bit of data in the session file to remember that the user has logged in and should be allowed to view other pages. Now the attacker can take advantage of the shared session and visit access-restricted…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
(Locked)
Types of credential attacks4m 55s
-
(Locked)
Strong passwords4m 1s
-
(Locked)
URL manipulation and Insecure Direct Object Reference (IDOR)4m 43s
-
(Locked)
SQL injection6m 16s
-
(Locked)
Cross-Site Scripting (XSS)6m 15s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 21s
-
(Locked)
Cross-Site Request protections3m 38s
-
(Locked)
Cookie visibility and theft4m 37s
-
(Locked)
Session hijacking5m 8s
-
(Locked)
Session fixation3m 18s
-
(Locked)
Remote system execution2m 8s
-
(Locked)
File upload abuse2m 59s
-
(Locked)
Denial of service4m 55s
-
(Locked)
-