[SOLVED] Session fixation


How does wise j handle the session fixation attack?


We will be cutting over to wise j from visual webgui in the coming months and we recently had a security scan that stated we could be susceptible to this attack.



  • You must to post comments
Best Answer

Wisej doesn’t use cookies and doesn’t set the session id in the URL. The session id is stored in the browser’s session storage. Which is wiped out when closing the browser or the tab. It’s not possible to “fix” a value in sessionStorage before hand.

The session id (coming from session storage) is used in the URL only when opening the websocket connection (which cannot be shared) and when requesting http data from datagrids (combined with the unique id of the specific server-side instance of the component returning the data.)

Additionally, before restoring a session Wisej verifies the client’s fingerprint. The attacker and the victim must have the same IP address (IP addresses can be spoofed only to send messages, cannot receive any response), the same browser, user agent, etc.

Script injections also don’t work with Wisej because there is not HTML page response, there is no form submit, etc. All the data exchange is done through compressed JSON. Parsing JSON doesn’t execute anything and setting dom elements also doesn’t execute anything.

  • You must to post comments
Showing 1 result
Your Answer

Please first to submit.