How does wise j handle the session fixation attack?
We will be cutting over to wise j from visual webgui in the coming months and we recently had a security scan that stated we could be susceptible to this attack.
The session id (coming from session storage) is used in the URL only when opening the websocket connection (which cannot be shared) and when requesting http data from datagrids (combined with the unique id of the specific server-side instance of the component returning the data.)
Additionally, before restoring a session Wisej verifies the client’s fingerprint. The attacker and the victim must have the same IP address (IP addresses can be spoofed only to send messages, cannot receive any response), the same browser, user agent, etc.
Script injections also don’t work with Wisej because there is not HTML page response, there is no form submit, etc. All the data exchange is done through compressed JSON. Parsing JSON doesn’t execute anything and setting dom elements also doesn’t execute anything.
Please login first to submit.