Session fixation is a vulnerability of web applications where a malicious attacker gains full control of a victim’s web account without having to use the victim’s credentials such as username and password. Extant defensive techniques and procedures are not completely effective against such attacks. The authors found that some 48% of Indonesian websites are vulnerable to such attacks because, contrary to best software engineering practices, many use default session management IDs generated by their development platforms. This paper presents procedures for identifying vulnerable websites and the results. Keywords: web application security; session fixation; session hijacking
[1]
A. Jadhav.
Session Fixation Vulnerability in Web-Based Application
,
2012
.
[2]
Kenji Kono,et al.
Automated detection of session fixation vulnerabilities
,
2010,
WWW '10.
[3]
Christopher Krügel,et al.
Secure Input for Web Applications
,
2007,
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).
[4]
Dafydd Stuttard,et al.
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
,
2007
.
[5]
Mitja Kolšek,et al.
Session Fixation Vulnerability in Web-based Applications
,
2002
.