search

Session Fixation

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Account Take Over

1

Log in to the target site and inspect the HTTP requests using Burp Suite

2

Check whether a cookie is set for us as soon as we enter the site

GET / HTTP/1.1
Host: example.com

Response 

Set-Cookie: sessionid=ABC123XYZ; path=/; HttpOnly
3

If the cookie was set before authentication, then complete the authentication process and check whether the same cookie is set after authentication or not

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=ABC123XYZ

username=victim&password=VictimPass123
4

If the same cookie was issued, the session fixation vulnerability would be confirmed

5

Then check if the session that is set exists in the URL parameters and in GET form

GET /dashboard?sessionid=ABC123XYZ HTTP/1.1
Host: target.com
6

Send the session to a user as a link so that a user can authenticate using that session

http://target.com/login?sessionid=ABC123XYZ
7

Then, after the victim authenticates with the attacker's session, the attacker authenticates with the same session and gains access to the victim's panel

GET /dashboard HTTP/1.1
Host: target.com
Cookie: sessionid=ABC123XYZ

hashtag
Authentication Bypass via Captured Login Responses

1

Send a valid login request (correct email/password)

2

Capture the response using Burp Suite and copy it

3

Log out the user

4

Send a new login request with an incorrect password

5

Replace the 400 Bad Request response with the previously captured legitimate login response (including the valid session cookie)

hashtag
Improper Session Invalidation Allows Account Access After Logout

1

Login with a valid account

2

Capture the login HTTP 302 Found response using a proxy tool like Burp Suite

3

Log out from the account

4

Clear browser cookies

5

Attempt to log in as a different user

6

During login, replace the server response with the earlier captured 302 response

7

The application logs you into the original session (victim@example.com), not the new user

hashtag
Account Takeover

1

Visit the target site without logging in

2

Check cookies, URL parameters, hidden fields, or response headers for a session identifier (PHPSESSID, JSESSIONID, session_id=abc123)

3

Open two different browsers/incognito windows

4

Visit the site, Note the session ID is generated and sent before login

5

Verify the same session ID persists after refresh or navigation

6

Create a login link containing the attacker-controlled session ID like

https://target.com/login
https://target.com/?PHPSESSID=attacker123
https://target.com/dashboard;jsessionid=attacker123
7

Send the malicious link via email, chat, or phishing page (victim trusts the domain)

8

Victim clicks the link → Lands on site with attacker’s session ID

9

Victim enters valid credentials and logs in successfully

10

Application does NOT issue a new session ID after successful authentication, Same attacker123 remains active

11

Attacker visits the site using the same session ID

https://target.com/?PHPSESSID=attacker123
12

Instantly logged in as the victim, Full session takeover

hashtag
White Box

hashtag
Cheat Sheet

PreviousCookies AttributesNextExposed Session Variables

Last updated