Session Fixation(set) attacks are a successful attempt at fixating(setting) another persons session
identifier(private information shared between visitor and website). These types of attacks are focused
on websites that use session identifiers been placed on a URL or POST data that is no encrypted. Many new
web server technologies prevent any such kind of session fixation such as ASP.NET running under the .net 3.5
framework as all data is encrypted via a Viewstate upon a POST method.
WebSafe will test for Session Fixation:
As WebSafe’s scanning process is tailored by the web technology detected for said website, there are a number
of tests that will attempt to create session variables and POST these to the server. In doing so attempts to
set new identifiers and values takes place. If successful then that website is vulnerable to Session Fixation.