FS#117 : Session Fixation on admin.alwaysdata.com

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 13.12.2024
Last edited by cbay - 16.12.2024

FS#117 - Session Fixation on admin.alwaysdata.com

Session Fixation on admin.alwaysdata.com

Hi Team, I hope you are doing well. While researching in your domain i found Session Fixation vulnerability.

Steps To Reproduce:

Step-1: Open up Firefox & download Cookie Editor Extension on your browser.
Step-2: Go to https://admin.alwaysdata.com/login/?next=/ & login with your credentials.
Step-3: Click on "Cookie Editor" then, click on "Export cookie" by clicking this we get a cookie copied in clipboard.
Step-4: Open another browser or Private tab.
Step-5: Go to https://admin.alwaysdata.com/login/?next=/ but don't login. Just simply click on "Cookie editor" & click on "Import cookie" & paste the code which we previously exported.
Step-6: After pasting just refresh the page and then scroll down and click on register and after scroll down again and click on Already registered?Login and you can see you logged in into the account.

Impact:
A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

Note: Attacker can use a link or create a login page and send to the user by social media or anyother way for hijacking the session.

Thank You,

Waleed Anwar

Closed by cbay
16.12.2024 11:43
Reason for closing: Invalid

17.12.2024: A request to reopen the task has been made. Reason for request: In different domain i tested this vulnerability i didn't found that because of different browser work with different session cookies, you can set different session on different browser.

Comments (2)
Related Tasks (0/0)

cbay commented on 16.12.2024 11:43

Hello,

That's not a session fixation, that's just how the web works. If you copy the cookie from one browser to another, then yes, you are logged in both.

Kind regards,
Cyril

waloodi_109 commented on 16.12.2024 19:10

In different domain i tested this vulnerability i didn't found that because of different browser work with different session cookies, you can set different session on different browser.

Thank you,

Waleed Anwar

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task