Java Spring Session Fixation
Description
Detects insecure session fixation protection configuration in Spring Security. Session fixation vulnerabilities occur when the application fails to generate new session identifiers upon user authentication, potentially allowing attackers to hijack authenticated sessions through predetermined session IDs.
Detection Strategy
• Checks if Spring Security HttpSecurity configuration classes are imported in the code
• Identifies session management configuration blocks in Spring Security
• Detects when sessionFixation() is configured with 'none' strategy
• Reports a vulnerability when session fixation protection is explicitly disabled through the none configuration
Vulnerable code example
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement()...✅ Secure code example
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.