How does wise j handle the session fixation attack?
https://www.owasp.org/index.php/Session_fixation
We will be cutting over to wise j from visual webgui in the coming months and we recently had a security scan that stated we could be susceptible to this attack.
Thanks
Wisej doesn’t use cookies and doesn’t set the session id in the URL. The session id is stored in the browser’s session storage. Which is wiped out when closing the browser or the tab. It’s not possible to “fix” a value in sessionStorage before hand.
The session id (coming from session storage) is used in the URL only when opening the websocket connection (which cannot be shared) and when requesting http data from datagrids (combined with the unique id of the specific server-side instance of the component returning the data.)
Additionally, before restoring a session Wisej verifies the client’s fingerprint. The attacker and the victim must have the same IP address (IP addresses can be spoofed only to send messages, cannot receive any response), the same browser, user agent, etc.
Script injections also don’t work with Wisej because there is not HTML page response, there is no form submit, etc. All the data exchange is done through compressed JSON. Parsing JSON doesn’t execute anything and setting dom elements also doesn’t execute anything.
Please login first to submit.