CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
        • Ajv
        • Angular
        • Apollo
        • Argon2
        • Audit
        • Aws-lambda
        • Axios
        • Bluebird
        • Browser
        • Chrome-remote-interface
        • Crypto
        • Deno
        • Express
          • Direct-response-write-with-header
          • Express-child-process
          • Express-fs-filename
          • Express-sqlite-sqli
          • Mongodb
          • Mysql
          • Needle
          • Open-redirect-deepsemgrep
          • Pg
          • Redos
          • Regexp-redos
          • Request
          • Security
          • Security
          • Session-fixation
            • Session fixation
        • Fbjs
        • Firebase
        • Grpc
        • Intercom
        • Jose
        • Jquery
        • Jsonwebtoken
        • Jssha
        • Jwt-simple
        • Knex
        • Lang
        • Monaco-editor
        • Mongodb
        • Mongoose
        • Mssql
        • Mysql
        • Node-expat
        • Passport-jwt
        • Pg
        • Phantom
        • Playwright
        • Puppeteer
        • React
        • Sandbox
        • Sax
        • Sequelize
        • Serialize-javascript
        • Shelljs
        • Superagent
        • Thenify
        • Vm2
        • Vue
        • Wkhtmltoimage
        • Wkhtmltopdf
        • Xml2json
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Session-fixation

    Session fixation

    session-fixation

    Detected $REQ argument which enters $RES.$HEADER, this can lead to session fixation vulnerabilities if an attacker can control the cookie value. This vulnerability can lead to unauthorized access to accounts, and in some esoteric cases, Cross-Site-Scripting (XSS). Users should not be able to influence cookies directly, for session cookies, they should be generated securely using an approved session management library. If the cookie does need to be set by a user, consider using an allow-list based approach to restrict the cookies which can be set.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-384: Session Fixation
    OWASP:
    - A02:2017 - Broken Authentication
    - A07:2021 - Identification and Authentication Failures

    InjectionAudit
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.