After studying the rails guide and some other ressources I’m wondering how a session fixation attack on a user’s session can actually happen. At least I’m sceptical it works as simple as depicted here in the guide, where an attacker…
-
…creates a valid session by logging in
-
…keeps the session alive
-
…then forces the user to use his session’s id e.g. by using some XSS vulnerability
All fine, but… how would the attacker be able to gather the value of his own session id? By default cookies are encrypted in Rails4+. So what to do as an attacker assuming I do not have access to secret_key_base or whatever is used to generate the encryption and signature keys? From what I understand I cannot tamper with the cookie without invalidating it (signature wrong) so somehow passing a self-created cookie to a possible victim is neither an option.
Is the secu guide kind of not up to date or am I missing a point here? If the latter then…
a) how [as an attacker] can I read encrypted cookie information
b) how does a vulnerability have to look like that allows me [the attacker] to inject that session id into the likewise encrypted cookie on another client? Would that be an XSS attack? The guide states that if an attacker uses code like
<script>document.cookie="_session_id=16d5b78abb28e3d6206b60f22a03c8d9</script>
he might be able to fix that session. But again, why would rails reveal it’s plain session to the client making it accessible via client-side processed javascript? It does not, which is why all my cookie-values are simple gibberish not being accessible by Javascript (can test that via console), right?
Thanks for any advice!