Vulnerability Solutions
 |
added scans last 7 days |
| The WatchMouse Periodic Vulnerability Scan checks for the vulnerability below. To see the most recently added vulnerability solutions that are scanned by WatchMouse, go to the Vulnerability Solutions overview |
| Category: Web Servers | Risk factor: High | Added: 18 Mar 2010 |
| Synopsis: The remote web application may be vulnerable to a session fixation attack. Description: The remote web application uses cookies to track authenticated users. If the session cookie is already present before authentication, it remains unchanged after a successful login. That is, only server-side variables are updated. Session cookies are expected to be unpredictable in a secure web application. If HTTP cookies can be manipulated (by injecting client- side JavaScript for example), then the attacker does not have to break the pseudo-random generator, and the web application is vulnerable to a 'session fixation' attack. See also: http://en.wikipedia.org/wiki/Session_fixation http://www.owasp.org/index.php/Session_Fixation Solution: Fix the application so that the session cookie is re-generated after successful authentication. Risk factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) |
||
