🙄
p1k4chu@p1k4chu-host
  • About Me
  • Tools
    • Defensive Tools
      • H0neyTr4p
    • Offensive Tools
      • Ransomware Simulator - PyRan
  • Security Research
    • AI Security Research
      • Attacking using (and defending against) Input manipulation attacks against AI
      • (Ab)using AI to attack M365 and other services to conduct plethora of attacks
    • Cloud Security Research
      • Azure Storage Account Security - Attack & Defend: Part 1
      • Attack and Defend Azure Serial Console - Part 1
      • Azure Serial Console Attack and Defense - Part 2
    • Adversarial Tradecraft Research & Detection
      • RDP Exfil - The technique that works almost every time
      • Smishing Traid targets India with large scale "India Post" themed iMessage phish texts
      • Quick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?
      • EDR Silencer - Embracing the Silence
      • Dissecting & Detecting Lsass Shtinkering
      • Detecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh
      • Abusing Windows VPN for EXFIL
      • Analyzing Nobelium's HTML Dropper - EnvyScout
    • Web & Mobile App Sec
      • [CVE-2015-2300] ENL-Newsletter CSRF Full Disclosure
      • Yandex Mobile App vulnerable to Insecure Data storage
      • Bug on paypal worth 1000$
      • Session fixation bug on coinbase.
      • CyanogenMod (In)Secure Folder Lock !
  • Security Talk
    • Review of CRTP - Pentester Academy
    • Review of Hacking and Securing Kubernetes
Powered by GitBook
On this page

Was this helpful?

  1. Security Research
  2. Web & Mobile App Sec

Session fixation bug on coinbase.

PreviousBug on paypal worth 1000$NextCyanogenMod (In)Secure Folder Lock !

Last updated 1 year ago

Was this helpful?

********

This is an older post (written around ~2015) and ported from my old blog. Please excuse if there are any mistakes or inaccuracies. If you find any issues, please head over to the home page > contact me. Thanks.

********

Hey, Today I am going to share one of my finding on coinbase , a leading BTC trading platform.

The bug was session fixation bug.

Briefly,

When a new cookie was issued , the old cookie was still being authenticated and the user is not logged out.

Attack Scenario :

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. - OWASP

Poc of Hackerone :-

When a request with an invalid authenticity_token is received, the user is logged out (tested for updating user’s Phone Number) and the user receives a new session cookie, which is not authenticated at this point. However, the authenticated session cookie used by a user before logging out is still active. This is the same Bug as :

Actually, Here a New Authenticated Session Cookie is being served but the old cookie is still being authenticated by the server which is infact a bad practice .. Session handling is a known security concern for Web applications. These kindoff poor session management practices can lead to account takeover using Session Hijacking.! Improper session management can sometimes lead to an attacker hijacking an active session and assuming the identity of a user. Here in this context, I can say that the cookie which is to be expired is still being validated by the server.

Bug URL :- https://hackerone.com/reports/6660

Note : You may not view the bug as they have not approved my request to disclose it there , feel free to check it frequently as it may take some time for them to approve ;)

Have a nice day,

Please drop your comments :)

https://hackerone.com/reports/737