Session Fixation Software Attack in Session Hijacking

A session fixation software attack is a type of session hijacking that involves a persistent entity on the computer using the software. Session fixation has been observed in real-world use by various entities, including nation-states. Session fixation is done by acquiring or modifying the TCP/IP stack to make it appear as if a user's connection was initiated from its own local system, and then responding with connections from that system to remote systems, typically without theixuur knowledge. This enables the attacker to eavesdrop on any traffic between remote computers and their machine. The most common types of attacks are password guessing and Internet connectivity spoofing, leading to a denial of service.

Session Fixation Software Attack

Session fixation attack is mainly carried out by persistent malicious software, some common examples are:

• Local login script/cookie hijacking
• Time bomb/timer worm
• Buffer overflow attacks

Details of the Session Fixation Software Attack in Session Hijacking

• The attacker will find a way to write a Trojan on the user's system, which can be the client or server-side application.
• This Trojan is placed in the directory of the local user, but it may also be placed in any other location that the attacker wants, like in an Internet Browser, FTP server, etc.
• The malicious software is injected into the TCP/IP stack to make it appear as if the packets originated from its own system.

Session Fixation Attack Process

• If a remote client connects to a local server or vice versa, the attacker will reply with their local IP address.
• The attacker should never forward any packet to a remote host.
• At this point, it is the TCP/IP stack that should detect the spoofed packets and return an ICMP error message.
• If a response packet is not returned, the attacker manually intervenes by sending UDP reply packets.
• This is the tricky part—how the attacker should forward the packet to the remote system without the knowledge of the remote host.
• Tcpdump can be used to intercept ICMP packets.
• Once ICMP error messages are forwarded back to the TCP/IP stack and are sent to the client system again, then this attack is successful.
• If there was no response packet back to ICMP, then the attack fails because of replying to its own address in a new connection using another IP header.
• In this case, the attacker should manually intervene by:
  • Sending a UDP reply packet
  • Or restarting the TCP/IP stack

Countermeasures

• The best security measure against a session fixation attack is to change the default login password.
• This is one of the main reasons behind this attack—when a user logs in to a particular system, he should use a password that is known only to the local machine.
• It's easier for an attacker to detect an outgoing packet using tools like ping or traceroute.
• In some cases, using tcpdump can be helpful as well.

Vulnerability

1. The most common reason behind this type of attack is that local scripts are not protected from unauthorized access.

2. In such cases, it is probable that the local account:

• Has a weak password.
• Uses a password that contains already known words and has been stored somewhere (like web pages).
• Is stored in an application log file.

3. Common attack targets include:

• Web pages
• Email connections
• Online file transfers

How to Prevent Session Fixation Attacks

1. The best way to defend against a session fixation software attack is to:

• Keep secret all the passwords for all your local systems.
• Change login passwords using properly encrypted random text.

2. It’s always recommended to use:

• Secure HTTP (HTTPS)
• Secure FTP (SFTP)

3. If you suspect any malicious bot on your system, use this command to stop internet traffic for that system:

sudo /etc/init.d/iptables stop

4. Another strong measure is using a VPN (Virtual Private Network).

• It acts like a secure tunnel where only authorized clients can connect using a single IP address—IP spoofing is not possible in such environments.

5. Consider using intrusion detection systems like:

• Snort
• GFI Languard

Conclusion

Session fixation software attacks might sound complex, but the fix starts with simple habits: using strong passwords, securing your connections, and regularly monitoring activity. These attacks usually exploit weak spots in session handling and software misconfigurations. If you're a developer or IT admin, make sure your apps don't allow fixed sessions to be reused after login. If you're a regular user, don't ignore those software updates and always double-check strange login pages.