Many Servlet developers do not understand that a Servlet is a singleton. There is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads.

A common result of this misunderstanding is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.

Example 1: The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream.

public class GuestBook extends HttpServlet {

   String name;

   protected void doPost (HttpServletRequest req, HttpServletResponse res) {
     name = req.getParameter("name");
     ...
     out.println(name + ", thanks for visiting!");
   }
}

While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way:

Thread 1: assign "Dick" to name
Thread 2: assign "Jane" to name
Thread 1: print "Jane, thanks for visiting!"
Thread 2: print "Jane, thanks for visiting!"

Thereby showing the first user the second user's name.

A transactional resource object such as database connection can only be associated with one transaction at a time. For this reason, a connection should not be shared between threads and should not be stored in a static field. See Section 4.2.3 of the J2EE Specification for more details.

Example 1:

public class ConnectionManager {

private static Connection conn = initDbConn();
...
}

To prevent replay attacks, the SAML standard has multiple optional provisions. One provision that can be utilized is to use a unique ID in each SAML request generated by the service provider and the corresponding SAML response by the identity provider. The service provider should specify a unique ID value in the AuthnRequest element ID attribute. The identity provider should return this ID value in the attribute InResponseTo. This enables the service provider to keep track of the state for unique requests. Additionally, each Assertion in the SAML response is also identified by a unique ID. Failure to follow this mechanism can leave SAML responses susceptible to replay attacks.

Service providers rely on SAML Response messages from identity providers that contain assertions for authorizing user identity. The SAML Response can contain a timestamp to indicate when the SAML Response message was issued and how long it is valid. These values are communicated in the IssueInstant, NotOnOrAfter, and NotBefore attributes. Ideally, the value for these attributes allows the messages to be valid for one to five minutes. An attacker with access to a SAML Response message before it expires can successfully replay it to authenticate into the application if the identity provider fails to set reasonable expiration time or if the service provider does not honor the expiration time.

A SAMLResponse should contain following Conditions element as part of the assertion as shown in the following example:

  <Conditions NotBefore="2019-09-23T19:35:09.949Z" NotOnOrAfter="2019-09-23T20:35:09.949Z">
    <AudienceRestriction>
      <Audience>https://exampleSP/metadata/</Audience>
    </AudienceRestriction>
  </Conditions>

Session fixation vulnerabilities occur when:

1. A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
2. An attacker can force a known session identifier on a user so that, after the user authenticates, the attacker has access to the authenticated session.

In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using that session identifier, giving the attacker access to the user's account through the active session.

Some frameworks such as Spring Security automatically invalidates existing sessions when creating a new one. This behaviour can be disabled leaving the application vulnerable to this attack.

Example 1: The following example shows a snippet of a Spring Security protected application where session fixation protection has been disabled.

	<http auto-config="true">
        ...
        <session-management session-fixation-protection="none"/>
	</http>

Even given a vulnerable application, the success of the specific attack described here depends on several factors working in the attacker's favor: access to an unmonitored public terminal, the ability to keep the compromised session active, and a victim interested in logging into the vulnerable application on the public terminal. In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, as long as the site is reasonably popular. The less popular the site, the lower the odds of an interested victim using the public terminal and the less chance of success for the attack vector previously described.

The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker. In Example 1, the attacker does this through an obvious direct method that does not suitably scale for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique attackers use involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [1]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that causes the victim to reuse a session identifier controlled by the attacker.

It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can enable an attacker to set a cookie with a fixed session identifier that is used in all interactions with any application on the domain example.com [2].

Other attack vectors include DNS poisoning and related network-based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network-based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well. This enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.

Session fixation vulnerabilities occur when:
1. A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
2. An attacker can force a known session identifier on a user so that, after the user authenticates, the attacker has access to the authenticated session.
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using that session identifier, giving the attacker access to the user's account through the active session.


Example 1: The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the j_security_check, which typically does not invalidate the existing session before processing the login request.

<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="text" name="j_password">
</form>

In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session.
Certain versions of the OAuth protocol are known to exhibit the session fixation vulnerability. The vulnerability exists in the OAuth token authorization flow which allows an attacker to get the third party application (or consumers) request token for provider authorization and trick a legitimate user to authorize the token. Once the token is authorized, it is associated with the legitimate user in the provider application. The user is then redirected back to the consumer application with an access token. Any request for data or other actions originating from the consumer application with that access token is then trusted to be coming from the user. The attacker could then use this token to masquerade as a legitimate user via the consumer application to the provider application.

This issue results from the lack of a mechanism to ensure that the party that started the authorization flow with the consumer process is the same as the one that authorized it with the provider.

This vulnerability allows an attacker to gain unlawful access to user data stored with the provider application and perform actions against the provider application on the users behalf; effectively impersonating the user. This could lead to sensitive information disclosure, denial of service or financial loss depending on the functionality provided by the provider application.

Session identifiers are typically generated using a pseudorandom number generator (PRNG). If a PRNG fails to yield enough entropy for a strong session identifier, it is susceptible to statistical analysis. If an attacker can predict a valid session identifier, the corresponding session can be immediately hijacked.
If an attacker can obtain a valid session ID, the corresponding user data can be accessed. If the victim user has administrative privileges the attacker can gain full control over the operation of the target application.
An attacker can exploit a weak session identifier by:
1. Collecting a sample set of valid session identifiers through multiple sign ins
2. Identifying static and dynamic data trunks in the session identifiers based on the structure observed in the samples
3. Generating new valid session identifiers by sequentially increasing or decreasing dynamic data
4. Stealing information or accessing resources restricted to the users to whom the generated session identifiers are assigned
The 64-bit entropy is the known threshold that makes session ID guessing attacks impractical. For example, if a large website issues a 64-bit session ID with 32-bit entropy, it allows an attacker to attempt 1,000 guesses per second. If the web site has a user base of 10,000, an attacker requires approximately four minutes to deduce a valid session identifier.

The web application should specify a session identifier length of at least 128 bits long. If attackers can guess an authenticated user's session identifier, they can take over the user's session, which enables them to launch impersonation attacks against the application.