#sessionfixation — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #sessionfixation, aggregated by home.social.
-
Alcatel-Lucent OmniAccess Stellar APs (AP1100–AP1500, AWOS ≤5.0.2 GA) hit by CRITICAL session fixation (CVE-2025-52689). Unauthenticated attackers can hijack admin sessions. No patch yet—restrict mgmt access, monitor logs. https://radar.offseq.com/threat/cve-2025-52689-cwe-384-session-fixation-in-alcatel-8cbfa686 #OffSeq #CVE202552689 #SessionFixation #WirelessSecurity
-
Alcatel-Lucent OmniAccess Stellar APs (AP1100–AP1500, AWOS ≤5.0.2 GA) hit by CRITICAL session fixation (CVE-2025-52689). Unauthenticated attackers can hijack admin sessions. No patch yet—restrict mgmt access, monitor logs. https://radar.offseq.com/threat/cve-2025-52689-cwe-384-session-fixation-in-alcatel-8cbfa686 #OffSeq #CVE202552689 #SessionFixation #WirelessSecurity
-
As always the information in this thread as well as more can be found in my notes at: https://notes.zanidd.xyz/
Thank you for reading my thread and see you in the next one :)
-
Remediating Open Redirect
- Strictly validate URLs
- Do not use user-supplied URLs
- Check supplied values (valid, not an URL, appropriate for the app)
- Sanitize input with an allowlist of trusted hosts (or regex)
- Force redirects to first go through a page notifying users that they're leaving the site
#cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
-
Remediating CSRF
- Check if user is authorized to perform action
- Add randomly generated + non-predictable tokens (anti-csrf-token, csrf-tokens)
- Referrer Header Checking
- Implement Two-Step operation (Operation is not executed when called, but needs a verification)
- Make Cookies SameSite!
#cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
-
Remediating XSS
- Validation of user input (on the server side)
- Use positive approach (allowlist)
- verify existence of actual Input
- Enforce Input Size restriction
- Check Input Type and only allow certain types
- Check range of value and restrict it
- Sanitize special chars
- HTML Encoding Output (especially user-controlled output)
- Do not embed user input into client-side scripts
- Have a good CSP (Content Security Policy)
- Make Cookies HTTPOnly!
#cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
- Validation of user input (on the server side)
-
Remediation Session Fixation
- Generate new session ID after authenticated operation (invalidate pre-login session id and generate a new one post-login)
- use libraries and built in mechanisms for session management, don't build custom implementations
Example Function for PHP:
session_regenerate_id(bool $delete_old_session = false): bool#cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
-
Remediating Session Hijacking
- Pretty challenging to counter session hijacking
- Monitoring + Anomaly Detection
- safer bet to counter than to eliminate all vulns
#hacking #cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
-
Here is some Advice on how to remediate common Session Security Attacks/Vulns (based on HTB Academy).
1/? 🧵
#hacking #cybersecurity #session #csrf #xss #sessionhijacking #sessionfixation
-
Protection against user session attacks (hijack, replay, tampering, CSRF, XSS...)
https://security.stackexchange.com/questions/268882/protection-against-user-session-attacks-hijack-replay-tampering-csrf-xss
#sessionmanagement #attackprevention #sessionfixation #maninthemiddle