Session Injection

Session Injection is an attack where malicious data is injected into a user's session, often through insecure session handling or deserialization vulnerabilities. This can lead to privilege escalation, data manipulation, or code execution.

Attack Vectors

Parameter Pollution into Session

# Application stores user input in session without validation
POST /profile?role=admin
# Server: session[:role] = params[:role]

# Attacker now has admin role in their session

Session Deserialization

# PHP session stored as serialized object
# Attacker modifies session cookie containing:
O:4:"User":2:{s:4:"name";s:5:"admin";s:7:"isAdmin";b:1;}

# When deserialized, isAdmin becomes true

Session File Injection

# If session ID is used in file path without validation
Session ID: ../../tmp/malicious

# Could overwrite or access unintended files

Common Vulnerabilities

• Storing user input directly in session
• Insecure session deserialization
• Session ID used in file/database operations
• Shared session storage without isolation

Prevention

• Validate all data before storing in session
• Use signed/encrypted session cookies
• Avoid deserializing untrusted session data
• Don't allow user input to influence session keys
• Use server-side session storage

See Also

• Session Fixation
• Insecure Deserialization
• Rails Session Serialization