Automated detection of session fixation vulnerabilities

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)


Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

Original languageEnglish
Title of host publicationProceedings of the 19th International Conference on World Wide Web, WWW '10
Number of pages2
Publication statusPublished - 2010
Event19th International World Wide Web Conference, WWW2010 - Raleigh, NC, United States
Duration: 2010 Apr 262010 Apr 30

Publication series

NameProceedings of the 19th International Conference on World Wide Web, WWW '10


Other19th International World Wide Web Conference, WWW2010
Country/TerritoryUnited States
CityRaleigh, NC


  • session fixation
  • web application security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications


Dive into the research topics of 'Automated detection of session fixation vulnerabilities'. Together they form a unique fingerprint.

Cite this