How I found an account take over by session fixation (Bugbounty)

What is session fixation?

Session fixation is a type of vulnerability that occurs when an attacker is able to set or fix a user’s session ID before the user logs in to a web application.

Disclaimer:

I’m writing this after a long time since I found this vulnerability, so I don’t remember details about it and my report was very straightforward about how to reproduce it.

While testing a website, it is very important to pay attention to details such as links, parameters, endpoints, or anything else that might appear only at specific moments or for a short period. This is what helped me finding this vulnerability.

During the login flow on the website, I noticed a URL that would pop up for a short time with a parameter “SID” (redacted.com/?SID=) and the paramter had a type of “hash”. I took note of this “hash” and started searching for where else I could find it. Turns out that it was my JSESSIONID cookie.

Since I had two accounts on the website, I logged out of the account I was logged and then I tried logging in again using the URL with the “SID” parameter set to the same JSESSIONID that the site had previously given me.

I pasted the URL into another web browser, the site asked for username and password and I logged in,

Next, I went to the other web browser, pasted the same link, and this time the site didn’t ask for a username and password, instead, it just redirected me to the profile of my “victim” account.

So how would be the flow to take over a account with this vulnerability (FOR THIS WEBSITE)?

First you would need to log into the website with your own accountCopy your JSESSIONID and use it into the SID paramter. Like this -> www.website.com/SID?=<JESSIONID>Send this URL for the victim (phishing attack) and wait for the victim to log in using the URLAfter the victim logged in you would just need to visit the URL

Lesson learned: The devil resides in small things