In this article we are telling you about SESSION FIXATION VULNERABILITY like what is SESSION FIXATION VULNERABILITY and how to find this bug in a website
Here we have already told you about SESSION FIXATION VULNERABILITY, you have been told about session hijacking as well as we have also told you about cookies hijacking attack.
If you have not read our articles, in such a way, you can also read them, SESSION FIXATION VULNERABILITY, if you get a website, you can easily access a user’s account.
Note- This article is only for educational purpose. Don’t miss use your knowledge and skills.
SESSION FIXATION VULNERABILITY
You can also call SESSION FIXATION VULNERABILITY as session hijacking, we have already told you about it in detail, you must understand session hijacking before reading this article further.
As you can see in the image, in a similar way, a hacker can steal the session id of a normal user and login with his account, here it depends on the hackers how he steals the session id.
Because if you do not do this, in such a way, you can not understand how SESSION FIXATION VULNERABILITY works, how sessions are made, where the store is, how to steal it, you have been told.
SESSION FIXATION VULNERABILITY If you get in a website, then you can get a good bounty because this bug can easily hack the accounts of the website and users of that website.
How SESSION FIXATION VULNERABILITY Works ?
Let us now tell you how you can find SESSION FIXATION VULNERABILITY in a website, as well as you have been told something more about SESSION here, so you read this article carefully.
As you can see in the image here, first you have to open this lab, something will be open in this way, here you have to go to the next step when you reach the third step here.
You are given a url address in such a way that you have to open it, you get all kinds of hints here, something like this you have to do in some kind of live website too.
When the website is loaded, you can see that the session id is also being shown in the url address even though it should not happen, yet you are showing it here, in such a way, you can understand that it is called a bug.
After doing all this, you have to go ahead and you get a malicious link which you have to open in this way. All this is being told to explain how SESSION FIXATION VULNERABILITY works.
After this, the mail box will be opened in front of you in this way, here you have to open the mail first, here you are given a guide in the lab itself that what you have to do next.
After doing all this, you get a link in the mail itself, which you have to open, you can also see here, you are also getting the mail session id show when you should never show like this.
As soon as you open the link, you are asked to login, as well as you get email and password to login, here you have to login in this way.
After doing all this, the page opens in this way in front of you, here you have to refresh this page, as soon as you refresh, you will be able to see that the account opens without login.
After doing all this your lab is complete, after this you are asked to code Analyze, you must do that so that you will also know how the code works in the background.
Now here comes the question that as we have said that session id shows, in such a way it is called a bug, here you do not show session id in any way in url address, it shows you in response in burp suite.
Having a show here is not called a bug but if you are able to login to a website without a username and password using the pre-existing session id when you are logout, then in this way it is called SESSION FIXATION VULNERABILITY.
I hope that now you can understand about SESSION FIXATION VULNERABILITY, there is no way to remove session id, it is not that you can do this from burp suite only.
You also get many types of extensions that you can use, we have told you in the article about how to hack facebook using cookies hijacking, how you can remove cookies and session ids.
If you have not read our article, in such a way, you can also read that session id. If you get the account of a user, then in that way you can open that account without username and password.
Here we want to tell you one thing, you must have seen this many times, sometimes when you login on a website, in such a way you get a message after your session is expire, in such a way you have to login again.
This is also very frequent where if you are logged in with an ip address, in such a way, if your ip address changes, you are automatically logout, all this is done to secure the accounts of the users.
Most of all this is used in websites where some kind of transaction is done or some kind of sensitive data is kept such as websites with bitcoin or admin access of c panel.
Subscribe to our blog for latest updates
Sharing is Caring