Session fixation is when an attacker tricks a user into using a provided session identifier that the hacker can then control.
- Session hijacking is an attack … where a hacker steals a user's active session … to gain unauthorized access to parts of a website. … Sessions store user data … in a file or database on the server. … It's more secure to store data in sessions … than in browser cookies … because the data never leaves the server. … It cannot be viewed in transit or in storage. … However, a session reference identifier … or session ID is stored in a browser cookie … and like all cookies is vulnerable to theft. … An attacker with a stolen session ID can access all … of the data stored in the session. … Even worse, they can impersonate a logged in user. … Imagine that a user logs … into a web application successfully. … The web application stores a bit of data in the session file … to remember that the user's logged in. … This enables the user to click links and visit other pages … without having to reauthenticate each time. … I think of it a lot like a wristband … which grants access to an event. … With every request, …
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.