Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Session Fixation Demo

Current Session ID: 2d175d9a777f2d8f0813e34bcedeb604

Session data:

Array
(
)

Cookie params:

Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 
    [httponly] => 
    [samesite] => 
)

Note: HttpOnly is NOT SET

Note: Secure is NOT SET

Note: SameSite is

Session Fixation Attack

  1. Attacker crafts URL with session ID:
    http://victim.com/session.php?PHPSESSID=attacker_session_id
  2. Victim clicks link — session ID is set
  3. Victim logs in — session ID stays the same (no regeneration)
  4. Attacker uses same session ID → authenticated session!

Test

Set your session ID:

PHPSESSID:

Then login and check if the session ID stays the same:

# 1. Set session ID
curl -c /tmp/cookies.txt "http://localhost/session.php?PHPSESSID=my_evil_session"

# 2. Login (session should regenerate, but it doesn't)
curl -b /tmp/cookies.txt -c /tmp/cookies.txt -X POST -d "uname=test&pass=test" "http://localhost/login.php"

# 3. Check session ID
curl -b /tmp/cookies.txt "http://localhost/session.php"

Additional Session Issues