Session poisoning (also referred to as "Session data pollution" and "Session modification") is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.
The underlying vulnerability is a state management problem: shared state, race condition, ambiguity in use or plain unprotected modifications of state values.
Session poisoning has been demonstrated in server environments where different, non-malicious applications (scripts) share the same session states but where usage differ, causing ambiguity and race conditions.
Session poisoning has been demonstrated in scenarios where attacker is able to introduce malicious scripts into the server environment, which is possible if attacker and victim share a web host.
Famous quotes containing the words session and/or poisoning:
“The bar is the male kingdom. For centuries it was the bastion of male privilege, the gathering place for men away from their women, a place where men could go to freely indulge in The Bull Session ... the release of the guilty anxiety of the oppressor class.”
—Shulamith Firestone (b. 1945)
“The most winning woman I ever knew was hanged for poisoning three little children for their insurance-money, and the most repellent man of my acquaintance is a philanthropist who has spent nearly a quarter of a million upon the London poor.”
—Sir Arthur Conan Doyle (1859–1930)