A comprehensive educational lab demonstrating session fixation vulnerabilities using Flask applications with PostgreSQL database and professional UI.
This lab provides hands-on experience with session fixation attacks, a critical web security vulnerability. You'll learn how attackers can hijack user sessions by setting a fixed session ID that victims unknowingly use when logging in.
- Understand session fixation attack mechanisms
- Experience a real-world attack scenario with bank login simulation
- Analyze how session IDs can be manipulated by attackers
- Learn the difference between vulnerable and secure session management
- Test automated attack demonstrations
session_fixation_lab/
βββ π static/
β βββ css/style.css # Professional UI styling
β βββ js/app.js # Interactive JavaScript features
βββ π templates/
β βββ bank_login.html # Bank app login page
β βββ bank_dashboard.html # Bank app dashboard
β βββ bank_register.html # Bank app registration
β βββ vulnerable_login.html # Hacker's malicious site login
β βββ vulnerable_dashboard.html # Hacker's malicious site dashboard
βββ π± **Core Applications:**
β βββ bank_app.py # π¦ Legitimate Bank Application (PORT 5000)
β βββ vulnerable_app.py # π Hacker's Malicious Site (PORT 5001)
β βββ database.py # ποΈ PostgreSQL Database Operations
βββ π§ **Setup & Demo:**
β βββ setup_fish.sh # π Environment setup script
β βββ cleanup_fish.sh # π§Ή Cleanup script
β βββ test_db.py # π§ͺ Database connection test
β βββ bank_session_fixation_demo.py # π€ Automated attack demo
βββ π³ **Infrastructure:**
β βββ Dockerfile # PostgreSQL database setup
β βββ requirements.txt # Python dependencies
βββ π README.md # This documentation
- Python 3.8+ with pip
- Multipass with
k3sinstance running - Docker access via multipass (using alias)
cd session_fixation_lab
# Make scripts executable
chmod +x setup_fish.sh cleanup_fish.sh
# Run setup (creates database, virtual environment, installs dependencies)
./setup_fish.sh# Activate virtual environment
source venv/bin/activate
# Test database
python test_db.pyTerminal 1 - Bank App (Port 5000):
source venv/bin/activate
python bank_app.pyTerminal 2 - Hacker's Malicious Site (Port 5001):
source venv/bin/activate
python vulnerable_app.pyTerminal 3 - Attack Demo:
source venv/bin/activate
python bank_session_fixation_demo.py- π¦ Bank App (
localhost:5000) - Legitimate bank with secure session management - π Hacker's Malicious Site (
localhost:5001) - Fake site that captures and reuses session IDs
sequenceDiagram
participant H as π Hacker
participant B as π¦ Bank App
participant V as π€ Victim
participant M as π Malicious Site
Note over H,M: Step 1: Hacker prepares attack
H->>B: 1. Visits bank, logs in
B->>H: 2. Gets session ID: "abc123"
H->>H: 3. Logs out but keeps session ID
Note over H,M: Step 2: Hacker tricks victim
H->>V: 4. Sends malicious link with session ID
Note over V: "Click here to check your bank account!"<br/>localhost:5001/login?session_id=abc123
Note over V,M: Step 3: Victim falls into trap
V->>M: 5. Clicks link, visits malicious site
M->>V: 6. Sets hacker's session ID in browser
V->>M: 7. Enters bank credentials on fake site
M->>V: 8. "Login successful" (fake confirmation)
Note over H,B: Step 4: Hacker hijacks session
H->>B: 9. Uses same session ID to access bank
B->>H: 10. Welcome! (thinks it's the victim)
Note over H: π Hacker now has access to victim's account!
# Visit: http://localhost:5000/bank/register
# Register with: username=victim, password=password123# Visit: http://localhost:5000/bank/login
# Login with: username=hacker, password=hacker123
# Note the session ID in browser dev tools
# Logout but remember the session ID# Visit: http://localhost:5001/login?session_id=YOUR_SESSION_ID
# Login with victim credentials: username=victim, password=password123# Visit: http://localhost:5000/bank/dashboard
# Use the same session ID from Step 2
# You should see victim's account information!CREATE TABLE users (
id SERIAL PRIMARY KEY,
username VARCHAR(50) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);The vulnerable app does NOT regenerate session IDs after login:
# VULNERABLE - Session ID remains the same
session['user_id'] = username # Session ID unchanged!The bank app regenerates session IDs after login:
# SECURE - New session ID generated
session.clear() # Clears old session, generates new ID
session['user_id'] = username # Fresh session ID# Stop all applications (Ctrl+C in each terminal)
# Clean up Docker containers and virtual environment
./cleanup_fish.sh
# Remove virtual environment if needed
rm -rf venv/This lab contains intentionally vulnerable code to demonstrate security flaws. Never use this code in production environments.
After completing this lab, you will understand:
- β How session fixation attacks work in practice
- β Why session ID regeneration is critical for security
- β How attackers can exploit predictable session management
- β The importance of secure session configuration
- β Real-world attack scenarios and prevention techniques
- Session Fixation: Attacker sets a known session ID for the victim
- Session Regeneration: Creating a new session ID after authentication
- HttpOnly Cookies: Prevents JavaScript access to session cookies
- SameSite Cookies: Prevents cross-site request attacks
- Secure Session Management: Best practices for web application security
π― Ready to start? Run ./setup_fish.sh and begin your session fixation journey!