The following output is from the owasp.pl tool of my test-suite [1].
thomas:~/test-suite> ./owasp.pl output=short openstack_horizon_lpd978896.ini
[...removed output for session_fixation_public()...]
DBG: OWASP_SM_003::session_fixation_private(http://test:80/auth/login/, POST, method=Login&username=admin&password=openstack) DBG: 1. try to login with 'method=Login&username=eviled&password=eviled' (attacker) DBG: OWASP_SM_003::session_fixation_private: cookie = 'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/' DBG: 2. try to login with 'method=Login&username=admin&password=openstack' (victim) DBG: OWASP_SM_003::session_fixation_private: session cookie = 'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/' DBG: OWASP_SM_003::session_fixation_private: new cookie = 'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/' DBG: 3. compare cookie 'sessionid' DBG: OWASP_SM_003::session_fixation_private: logged out =====> OWASP_SM_003::session_fixation_private: CWE-384 (Session Fixation): code = 1 (msg = 'FAIL:Vulnerable to Session Fixation Attack by authenticated users (http://test:80/auth/login/)')
2 tests in 2 secs.
[1] https://gitorious.org/test-suite/test-suite
The following output is from the owasp.pl tool of my test-suite [1].
thomas: ~/test- suite> ./owasp.pl output=short openstack_ horizon_ lpd978896. ini
[...removed output for session_ fixation_ public( )...]
DBG: 003::session_ fixation_ private(http:// test:80/ auth/login/, Login&username= admin&password= openstack) Login&username= eviled& password= eviled' 003::session_ fixation_ private: cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' Login&username= admin&password= openstack' 003::session_ fixation_ private: session cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' 003::session_ fixation_ private: new cookie = a917fb9e5c35b03 b690aa24ed1815a 16; Path=/' 003::session_ fixation_ private: logged out 003::session_ fixation_ private: CWE-384 (Session Fixation): code test:80/ auth/login/ )')
OWASP_SM_
POST, method=
DBG: 1. try to login with 'method=
(attacker)
DBG: OWASP_SM_
'sessionid=
DBG: 2. try to login with 'method=
(victim)
DBG: OWASP_SM_
'sessionid=
DBG: OWASP_SM_
'sessionid=
DBG: 3. compare cookie 'sessionid'
DBG: OWASP_SM_
=====> OWASP_SM_
= 1 (msg = 'FAIL:Vulnerable to Session Fixation Attack by authenticated users
(http://
2 tests in 2 secs.
[1] https:/ /gitorious. org/test- suite/test- suite